Slashdot Mirror
Open Source Banking
Cynical Yorkshireman writes "I sold my soul to investment banking a long time ago ... It's nice to know that some of the Wall Street money machines are actually quite forward thinking about IT! Dresdner Kleinwort Wasserstein will announce today that (with Collab.net's help) that they are open-sourcing their internal systems integration toolkit.
The official launch is today. Until recently I actually worked at DrKW, and have used this stuff a heck of a lot over the years. Basically, this is a toolkit that allows disparate systems to be connected (Sybase->RV->JMS->IIOP->ETX->MQ->UDB is a snap) in a very, very easy way. Without doubt one of the best pieces of software I have ever seen, and far and away the most useful!
Go get it (when the site opens), and never worry about system interfacing again ..." There's also a Reuters story with more information. Note that openadaptor.org is still password-protected as I write this.
Basically, do you believe (or whatever) in Open Source enough to bet your bank account on it?
Would you download the source code and inspect it first? or who would you look to, to validate and verify that the code was clean?
after all, it is only your money.
"It is a greater offense to steal men's labor, than their clothes"
To clarify what the openadaptor software is and is not: As the original poster noted, the openadaptor software provides easy ways to set up connections between different types of applications; it is basically an integration toolkit. However the openadaptor software is not in and of itself a banking application. Thus, for example, openadaptor was used to help implement a global equities derivative trading system at Dresdner Kleinwort Wasserstein, but the openadaptor code itself does not perform the financial calculations involved in derivatives trading.
I should also note that the potential usefulness of openadaptor extends well beyond banking and financial services; any company with large complex IT systems might be interested in it, especially companies that have to integrate systems across divisional or corporate boundaries, for example as a result of a merger or acquisition. (This includes Dresdner Kleinwort Wasserstein itself -- it was known as Dresdner Kleinwort Benson until it recently merged with Wasserstein Perella.)
I do not work in the banking industry myself.. I do work as a software developer for a large corporation.
I think taking an extremely cautious approach towards any banking system warrants merit. No bank wants to risk exposing themselves to massive lawsuits over inadequate security over a person's account. I feel certain banks do not enjoy risk beyond working the stock market.
However, bankers do occasionally embrace new technologies. Witness the ATM machines, which didn't exist as readily today as twenty years ago. Also witness the growing trend in online-banking. As a new technology, open source development holds promise, but hasn't matured yet. But this doesn't rule it out as a viable technology.
Consequently, I think it's too early to say that the banking industry will never embrace open source. I suspect they simply need to wait for it to prove itself further before they may enjoy its benefits.
I will gently side-step the DMCA issue to point out that many banks provide their own developers towards projects in-house. Consequently, I doubt the DMCA issue needs to be drawn in here; banks would simply have their developers close whatever security issue arose. And, if the banks' developers worked with open source development, they would probably find themselves controlling much of the software... to include project management (possibly).
Open source offers a greater chance towards better security than the rather scary practices they currently hold. I've recently read about the transaction protocols used by the banking industry; if they truly use a 56-bit key to encrypt a password without using public-key encryption, in a relatively short period of time, cracking such transactions should become trivial. This is not the sort of freedom open source developers want to see in their information, and neither should bankers. I do not happen to have the URL for this information readily in hand, or I would merrily direct you to it.
While I'm sure some open source project management might be poorly executed, it doesn't mean all projects are poorly managed. I would point towards the linux kernel itself as a relatively good example of project management in the open source model.
If there truly is 'no confidence communicated that any application developed in the open source model would not be secure...' this would indicate a failing of open source evangelism, and not of the technology. I would challenge 348 to provide credible evidence of a well-known, popularly used open source project relying upon security that proved to be less secure than its close-source counterpart.. and further, upon doing so, I would challenge 348 to note how long it would take for the project to repair said security issues.
As for open source zealotry, screams of 'information wants to be free' and whatnot, I suspect these statements show a lack of understanding of open source values, and a misunderstanding of our culture. I would refer you to esr's Homesteading The Noosphere (sic?) for a better understanding of this culture. Of course, as with any group of people, you have your bad elements... but these do not necessarily represent the collective view. It would be like suggesting that all Americans were money-grubbing opportunists.
And so it goes.
That's so because given enough eyes, all bugs are shallow. That's why the most trusted cryptographic systems are the ones whose details have been open for decades, and which still have no known weaknesses. not the proprietary encryption that some company has made, claims unbreakable and pushes as a binary-only product.
There is no conflict between openness and security. Security trough obscurity does not work. But hi, don't take my word for it, go visit some of the more well-respected security-analysts around and see what they think. Have a look at Bruce Schneiers site for starters.
"That whole BIND thing" was discovered because the source is there for anyone to see. Would you rather that only crackers with nothing better to do than disassembling and reverse engineering the code should be the only one that has the time to look for, and find, the security holes?