Slashdot Mirror
Open Source Banking
Cynical Yorkshireman writes "I sold my soul to investment banking a long time ago ... It's nice to know that some of the Wall Street money machines are actually quite forward thinking about IT! Dresdner Kleinwort Wasserstein will announce today that (with Collab.net's help) that they are open-sourcing their internal systems integration toolkit.
The official launch is today. Until recently I actually worked at DrKW, and have used this stuff a heck of a lot over the years. Basically, this is a toolkit that allows disparate systems to be connected (Sybase->RV->JMS->IIOP->ETX->MQ->UDB is a snap) in a very, very easy way. Without doubt one of the best pieces of software I have ever seen, and far and away the most useful!
Go get it (when the site opens), and never worry about system interfacing again ..." There's also a Reuters story with more information. Note that openadaptor.org is still password-protected as I write this.
It does use XML. Look at the openadaptor.org website using guest/guest.
Oh. Thanks. Where did you get the username and password? Random guess?
Kent
Basically, do you believe (or whatever) in Open Source enough to bet your bank account on it?
Would you download the source code and inspect it first? or who would you look to, to validate and verify that the code was clean?
after all, it is only your money.
"It is a greater offense to steal men's labor, than their clothes"
Nice to see that Europe is leading the way on this. After all, Dresdner is based in Frankfurt and London...
Makes a nice change from all the Amerocentric stuff...
Hacker: A criminal who breaks into computer systems
"Information wants to be paid"
Well I know for a fact that several large US banking organazations do use Free software here and there, and I know that Euro cutover in the City of London used perl in a heavy way.
Now that being said I would imagine that much of what runs inside a bank is big iron from IBM with a big 4 database on it. But IBM has embraced Linux and free software. And a lot of it is custom I would guess.
Erlang Developer and podcaster
Q1 : Would you trust your money to an open-source bank ?
A1 : No.Hell, I hate banks : they always display the most astounding financial results, while complaining about the economy and laying off as much people as they can.
Do you really think that they will open-source their inner systems : unlikely. Firstly because they largely prefer security by obscurity, and secondly because I doubt the open source community will manage to do something usefull with their base of mainframe-based COBOL code. Sure, their web infrastructure will be all unix/win as it can be, but the account will reside on some real safe system.
But as for their integration software, as they pointed into the article, that will be profitable for them and their clients to have that part of the code improved by the global community : that's just another way of drawing on the global ressources.
Worst, they might just tell their clients : our integration software is open sourced, hire some hacker and do not bother us again.[Pruneau
No argument there. My experience in the banking industry (well, the bond trading part of it) as well as (a small) credit card processing company was that they tended to lean toward ``trailing edge'' technology since it was tried and true.
What OSS ``evangelists'' are screaming that it's shareware? Never heard any myself. Shareware has a certain meaning that most OSS advocates that I know don't find particularly applicable to most OSS.
And regarding ``Open Source project management practices being as bad as they are...'': my experience was that project management in the banking industry was no better (and IMHO, actually worse) than other industries and from what I gather the OSS development process. It seemed to be more politically driven than I'd ever seen before... or since. I spent a lot of late nights fixing problems that these development processes produced. Amazing how many vice presidents were calling me at 11:30 P.M. asking for help getting their crappy software kludges to work or backing it out since it was never going to work that night. I worked on projects with more sophisticated development processes on Govt. contracts at a University.
Granted `Open source zealots' might be saying that DCMA `sucks' but a far larger number of people, like consumer rights advocates, are saying the same thing. (Though they don't use the word `suck'.)
--
CUR ALLOC 20195.....5804M
Nicely stated.
More race stuff in one place,
than any one place on the net.
Any other insiders with the magic keys?
Regards,
-scott
Regards,
-scott
Do you know what code your bank uses? I've no idea what mine uses. It never even entered my mind to use it as one of the criteria for choosing it. Why the should I care?
Special Relativity: The person in the other queue thinks yours is moving faster.
Sorry.
Since guest/guest doesn't seem to work anymore.
Regards,
-scott
Regards,
-scott
Yes I do, however I won't get specific on /. . However I will say that most revenue systems are mainframe based, Unisys, IBM etc. Slow, but batch is the bankers way, old school. It worked just fine for us 30 years ago, why change it.
More race stuff in one place,
than any one place on the net.
The question is: Will it be found by someone willing to tell you about it, or someone who wants to exploit it.
If you don't allow the public to scrutinize your system, the likelyhood is that the only people looking at it will be your overworked little development team, and a horde of crackers that don't care that they aren't allowed to "test" your system.
Whether it's safe or not to use open source software for critical stuff depends a lot more on how you do it.
First of all, you shouldn't release a banking system and run on the same version of the code until you've let a lot of people look at it.
Second, firewalls are good. Knowledgable sys.admins that actually keep an eye both on the system, and the buzz in the hacker community, a huge plus.
Conclusion? If your security is crappy anyway, you certainly run added risks with open source, but if you manage your security well (actually bother to protect the perimiter to your system, and don't run untested software for critical tasks), you'll gain from having good guys looking at your code too, not just bad guys hammering on your system until they accidentally find something (and they will).
I guess one must also wonder whether by guessing the password you've illegally accessed their web site. On the other hand, the password was so trivially easy they probably have no leg to stand on.
Web servers are not revenue stream. Banks like Perl? No, entry level developers who work in bank development shops like perl. The management of most financial institutions don't even know what perl is. They could care less. They only know that "their IT advisors" (IT guy on board) says Open Source is bad because we don't own it, and bad guy hackers may have put in "back doors" As lame as this seems, I can see 348's point and I agree on the whole "revenue Stream" thing. I don't think he/she was referring to productivity applications.
This may come in handy when they decide to Deregulate Banking.
To clarify what the openadaptor software is and is not: As the original poster noted, the openadaptor software provides easy ways to set up connections between different types of applications; it is basically an integration toolkit. However the openadaptor software is not in and of itself a banking application. Thus, for example, openadaptor was used to help implement a global equities derivative trading system at Dresdner Kleinwort Wasserstein, but the openadaptor code itself does not perform the financial calculations involved in derivatives trading.
I should also note that the potential usefulness of openadaptor extends well beyond banking and financial services; any company with large complex IT systems might be interested in it, especially companies that have to integrate systems across divisional or corporate boundaries, for example as a result of a merger or acquisition. (This includes Dresdner Kleinwort Wasserstein itself -- it was known as Dresdner Kleinwort Benson until it recently merged with Wasserstein Perella.)
Among other things (securities, underwriting, etc), an investment bank often has a brokerage department, a trading department, and a research department. All of these generate money and are ideal applications for a web interface.
You can feel free to tell Salomon Smith Barney that there web page doesn't generate any revenue, but I somehow imagine that they feel differently.
-- Don't Tase me, bro!
Have a look at:
they both contain real derivative pricing code.
--
Laurent Guerby <guerby@acm.org>
where Richard Pryor takes all the half cents and buys himself a Porsche. Somebody should make a movie about that!
Game: Player 'Donald J Trump' now has AI skill level 'experimental'.
It is not the case that all changes to a custom Linux kernel must be made public.
--
Linux user since early January 1992.
Good points; I want my money handled by very old, incredibly conservative bankers who distrust anything that hasn't been proven through decades of use, not a bunch of tattooed, earinged, open source zealots who think that software magically gets better the more people who look at the source code. That whole BIND thing of late has just reinforced this.
--
see subject. Maybe they just don't like my IP or something...
Amber Yuan 2k A.D
"and dear god does this website suck now." -- CmdrTaco
Using Open source is not what I stated. Using Open Source or Freeware for Revenue Stream Systems is what I said would never happen. The German company that issued the press release is looking at providing "cooperative plumbing interfaces" for revenue stream interaction between banks and financial institutions. I don't see any major banking consortium supporting this infrastructure.
More race stuff in one place,
than any one place on the net.
Since it dosen't work I must ask this...Did you try guest/guest or are you asumming all websites have that as a password.... Why don't we do like the movies and type "bypass all security" while we are at it.
Financial Organisations will do anything they can get away with to make money, if that means free software they will go for it.
Special Relativity: The person in the other queue thinks yours is moving faster.
It is one of the common combinations to try before giving up, along with /, anonymous/email@ddre.ss, anonymous/coward, and cypherpunks/cypherpunks.
(the latter has failed to work recently -- does anyone know whether it has been killfiled?)
Will a java implementation be ported to the Amiga platform?
Sorry, I forgot to mention: If you will be attending the LinuxWorld conference in New York City this week, there will be a Birds of a Feather session for openadaptor on Thursday, February 1, from 6-7:30 pm EST in room 1E11 of the Jacob Javits Convention Center. The openadaptor developers from Dresdner Kleinwort Wasserstein will be on hand to discuss the openadaptor technology in depth and answer any technical questions you might have. This event is open to all, so please feel free to drop by and attend if you're interested in learning more about openadaptor.
Open Source does not mean NON-Mainframe. There are versions of BSD and Linux both open source OS's that run on IBM and Sun mainframes. The recent BIND incident is nothing but another reason WHY open source is so successful. If those DNS servers had been running proprietary code we would never had known how vulnerable they were. Only the hackers would know and they share their secrets amongst themselves on IRC and the Undernet way below the radar of everyone else. Egghead.com was using Microsoft IIS as their webserver. You KNOW that isn't open source. As it turns out they failed to patch their systems as can happen on any OS however the way proprietary patches are designed they often create more problems then they solve so not only do proprietary software solutions become vulnerable to regular neglect but to fear of the solutions themselves! When you can't look at the code not only can you not figure out whats wrong, you can't figure out HOW the fix is going to affect you. A good IT techie will always stay on top of the latest exploits and patches. How can one know everything if the source isn't open? Banks aren't safer because they have until now used closed source they are just more SECRETIVE. 90% of all attacks go un-reported. I know for myself that if I knew what kind of system my bank was using I would feel much more comfortable knowing that it is open source software. It allows for agility, security and speed. With companies such as IBM, Sun, HP, Dell, and Compaq rushing to implement open source solutions this acceptance of this way of using software will only grow with time. The costs in the future will simply become too high for NOT using open code. When something happens and the bosses start asking you why did this happen you'll only be able to answer "I don't know why!!" Why don't you know? Because the code was proprietary and you had no clue what was going on underneath. Thats not a position I would want to be in.
Mac OS X and Windows XP working side by side to fight back the night.
Well its not 100% clear what is meant but I presume;
RV = TIBCO Rendezvous
JMS = Java Message Service
IIOP = Internet Inter-ORB Protocol (or var. Internet InterOperability Protocol)
ETX = Ethernet I presume? Or something else?
MQ = IBM MQ Series (messaging middleware)
UDB = DB2 UDB
I'm considering working for one (doing IT/distributed applications at Morgan Stanley) and I'd appreciate a heads-up.
Thanks!
willis
there is no thing
what else could you want?
The only benefit would be that you can replace your middleware system easier, but how often do you do that? An open-source middleware would be better.
I work as a consultant in banking and finance and I often see these huge webs of interconnected systems with custom programmed interfaces between them. Middlewares help, but they are not the solution to all problems. You still have to interface to the middleware system. Introducing openadaptor would require you to interface to openadaptor, as well as interfacing openadaptor to your middleware (in case your middleware is not of the systems supported directly by openadaptor). How can this make things easier? Or am I missing the point?
Anyway, more complex systems means more work for me, so I guess this is a good thing after all! :)
Even if the Excel has nothing to do with banking, the notion that certian practices, software and hardware could be certified for use is worth looking at.
For example, that Excel can have these bugs and the Pentium chip can have these bugs, should alert us to that these or other bugs can exist in other tools.
Security works on secret keys. Safety works on open processes and modular construction. Only an open process can prevent bugs being hidden. Only a modular proces allows the replacement of defective parts in a cost effective way.
A process can be both safe and secure, because while the process of the key is understood, the exact value of it is not. Banks went for many years with bits of paper and keys. The technology of these were understood. The exact form of the key is revealled only to those who have a valid need for a copy of it.
Heed excel bugs, not as defects in one program, but defects in our trust in software.
OS/2 - because choice is a terrible thing to waste.
But that's my point; look how long it took to be discovered, and this is one of the most widespread pieces of software in computing history. As for the banking industry, crackers shouldn't even be able to reverse engineer it; this is all server-side. And even if they did, it's a hell of a lot harder to figure out a hole like that from reverse engineering a binary than looking at the source code. In my opinion, banking systems should be totally proprietary, by which I mean totally specific to that bank.
--
Thanks. But that just makes it worse :)
XML has been touted as the end-all-be-all of system integration. How will this fit into the picture?
Kent
I HATE that term 'forward thinking'. To me, it means nothing. My old job was all about wordy sales pitches what meant squat. In their company mission statement, the word 'solutions' appears five times. FIVE TIMES!
...All I can say is that my life is pretty strange...
It is about time some rigour is introduced in these systems. Banking relies heavily on Excel, and the bugs in Excel are so deep, an article in Journal of Computational Statistics and Data Analysis concluded that
Now, it turns out Excel doesn't do computer arithmetics very well. It's very, very bad, actually...
Employee of Inrupt, Project Release Manager and Community Manager for Solid
Well, as they've cur that off, I might as well post the contents of the front page from my cache (I only visited that and the licence page, posted elsewhere):
Welcome to openadaptor.org
openadaptor is a 100% Java/XML-based software platform which allows for rapid business system integration with little or no custom programming.
openadaptor can be loosely classified as EAI (Enterprise Application Integration) software. It is highly extensible and provides many ready-built interface financial components like Oracle, Sybase, TIBCO, as well as data exchange formats such as XML, Fix, Swift, and HTML.
well cheers collab seem to be going in the right directions
banking is one of the BIG boys and getting accepted in that market counts
hope that linux does as well for them as it
It did work, honest!
Agreed. Let me give you an example. There are web servers that run within kernel space, and are hence very fast. They're open source and available to whoever wants them.
Now let's say an investment bank codes their bond pricing engine into kernel space (the faster you can price bonds, the better). Are they going to be happy that their rivals on the opposite side of The Street can download this technology from RedHat.com? Of course not.
Face it, bankers are old fashioned and play things in a very old school manor.
Lots of banks like perl, of course, but not because it's open source, but because it allows them to write very bad code, very quickly that nevertheless gets the job done. But that's how it works in the Front Office, where short development cycles are everything. On the back office, you'll be seeing the big iron, and I can't see that changing.
P.S. The whole BIND thing won't have made The Street any more trusting of Open Source. Many eyes only make bugs shallow if they're all a) qualified and b) looking, and the Open Source community as a whole has a long way to go on both of those.
I do not work in the banking industry myself.. I do work as a software developer for a large corporation.
I think taking an extremely cautious approach towards any banking system warrants merit. No bank wants to risk exposing themselves to massive lawsuits over inadequate security over a person's account. I feel certain banks do not enjoy risk beyond working the stock market.
However, bankers do occasionally embrace new technologies. Witness the ATM machines, which didn't exist as readily today as twenty years ago. Also witness the growing trend in online-banking. As a new technology, open source development holds promise, but hasn't matured yet. But this doesn't rule it out as a viable technology.
Consequently, I think it's too early to say that the banking industry will never embrace open source. I suspect they simply need to wait for it to prove itself further before they may enjoy its benefits.
I will gently side-step the DMCA issue to point out that many banks provide their own developers towards projects in-house. Consequently, I doubt the DMCA issue needs to be drawn in here; banks would simply have their developers close whatever security issue arose. And, if the banks' developers worked with open source development, they would probably find themselves controlling much of the software... to include project management (possibly).
Open source offers a greater chance towards better security than the rather scary practices they currently hold. I've recently read about the transaction protocols used by the banking industry; if they truly use a 56-bit key to encrypt a password without using public-key encryption, in a relatively short period of time, cracking such transactions should become trivial. This is not the sort of freedom open source developers want to see in their information, and neither should bankers. I do not happen to have the URL for this information readily in hand, or I would merrily direct you to it.
While I'm sure some open source project management might be poorly executed, it doesn't mean all projects are poorly managed. I would point towards the linux kernel itself as a relatively good example of project management in the open source model.
If there truly is 'no confidence communicated that any application developed in the open source model would not be secure...' this would indicate a failing of open source evangelism, and not of the technology. I would challenge 348 to provide credible evidence of a well-known, popularly used open source project relying upon security that proved to be less secure than its close-source counterpart.. and further, upon doing so, I would challenge 348 to note how long it would take for the project to repair said security issues.
As for open source zealotry, screams of 'information wants to be free' and whatnot, I suspect these statements show a lack of understanding of open source values, and a misunderstanding of our culture. I would refer you to esr's Homesteading The Noosphere (sic?) for a better understanding of this culture. Of course, as with any group of people, you have your bad elements... but these do not necessarily represent the collective view. It would be like suggesting that all Americans were money-grubbing opportunists.
And so it goes.
http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query =middleware&action=Search
Gimme Gimme Gimme - Karma!
That's so because given enough eyes, all bugs are shallow. That's why the most trusted cryptographic systems are the ones whose details have been open for decades, and which still have no known weaknesses. not the proprietary encryption that some company has made, claims unbreakable and pushes as a binary-only product.
There is no conflict between openness and security. Security trough obscurity does not work. But hi, don't take my word for it, go visit some of the more well-respected security-analysts around and see what they think. Have a look at Bruce Schneiers site for starters.
You use middleware. This is middleware.
Gimme Gimme Gimme - Karma!
Middleware's once of the nicest types of software you can use when you want to automate operations across diseparate networks, platforms and applications.
For those who don't know, middleware is like STDIN/STDOUT/STDERR. The bits that join the pipe together.
It's also usually very expensive, I rolled my own for home use (http://www.yelm.freeserve.co.uk/appsnet/) using suck/rpost and INN but I suspect this openadaptor stuff will be right on the ball.
Deleted
ETX is TIB/Enterprise Transaction Express.
"That whole BIND thing" was discovered because the source is there for anyone to see. Would you rather that only crackers with nothing better to do than disassembling and reverse engineering the code should be the only one that has the time to look for, and find, the security holes?
So I guess you don't work at NationsBank.
-- Don't Tase me, bro!
> Web servers are not revenue stream.
Excuse me? Banks don't make money with online banking?
-- Don't Tase me, bro!
Hah, you're just jealous!
You fuckwit.
It's in the context of banking applications. DUH.
Gimme Gimme Gimme - Karma!
I only posted it in case the password stopped working. Which it did.
JMS is the Java Message Service. ETX is a product from TIBCO; there's also a TIBCO product called Rendezvous, and I presume that's what the original poster meant by "RV". "UDB" is "Universal Database", used in connection with IBM's DB2 database product in its various incarnations.
I know, this software doesn't actually run the servers, it just interconnects them. Still, too much knowledge in the hands of those with too little intelligence can be a dangerous thing.
Still, it's great to see major corporations not only using open source, but opening their internal tools to open source. One more point for the good guys.
No boom today. Boom tomorrow. There's always a boom tomorrow. - Cmdr. Susan Ivanova