Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tracking Code to Its Origins?

Posted by michael on from the digital-angel dept.

openbear writes "While doing a code review for a closed source project at work I came across a few files that were stolen from an open source project. The individual that did this was dumb enough to leave the original license in one of the files, however he was smart enough to remove all trace of where the code came from. He since quit the organization, so we (the developers) can't get to him to find out where he got this code from. Now management wants us to ship the product as is (with the stolen code intact) because we can't point to the original source of his questionable code. A few of us scoured sourceforge and several apache projects but couldn't find anything matching. My question is: What is the best way to track down where this code originated from. Is there an organization that would help? A tool? A website?"

14 of 59 comments (clear)

  1. what about rewriting the code? by krs-one · · Score: 5, Insightful

    Couldn't you just rewrite the stolen code? If your program has a main API and such, then couldn't you just rewrite the code to match your API or something like that. Unless the code is the majority of your project, I see no reason why it simply couldn't be rewritten.

    -Vic

    1. Re:what about rewriting the code? by openbear · · Score: 3, Informative

      Yes the code could be rewritten, but the project is at the stage where it takes a show-stopping** bug or management approval to modify any code. The next version of this product will NOT have the questionable code in it, but there will still be customers running this version (with the stolen code) for about a year or so.

      ** And by show-stopping bug, I mean broken core functionality or something deemed important by management.

    2. Re:what about rewriting the code? by little_fluffy_clouds · · Score: 3, Informative

      ** And by show-stopping bug, I mean broken core functionality or something deemed important by management.

      I call getting the pants sued off you something "deemed important by management".

      Several of you fucked up - this code got into the project without being checked where and who wrote it. Now rewrite and reintegrate and retest, and remember this lesson.

      --
      What were the skies like when you were young?
  2. Tried Google? by rtaylor · · Score: 5, Informative

    Find a line or 2 of code that look non-standard.

    Run through google groups, etc. If it's from a popular project, Web based cvs is gonna be on it and Google will have sucked up the source.

    Other than that, I really don't know.

    --
    Rod Taylor
  3. Errr, you still need to try harder... by Jerf · · Score: 5, Interesting

    You'd better speak to your corporate lawyer. If you don't have one, get one. I'd advise bringing a camera... it's gonna be a real Kodak(TM) Moment when he first understands what you're saying.

    You didn't mention what license this is. Is it the GPL? If so, that means that you have actually managed to stumble on one of the rare situations where the GPL is actually viral! If you release this code, you will be legally obligated to provide source to any customer, just for the asking!

    If it's not one of the 'viral' licenses, then you haven't got a problem anyhow.

    This isn't even a copyright law issue per se; the onus is on you/your company to find the source of the code, and get permission to use it, or face the consequences of not doing so. This is a general principle in the law.

    The law only rarely lets "I tried as hard as I could!" be an excuse. If you can't get permission, you can't use it, end of (legal) story.

    You are asking for it. Hate to say it, but consult a lawyer! Consult a lawyer! Consult a lawyer!

    1. Re:Errr, you still need to try harder... by Jerf · · Score: 4, Insightful

      So his company can probably pick: license violation or copyright violation.

      No, there's the two legal options, too: Find the author and obtain permission, possibly with the judicious use of cash, or dike the code out and replace it with something they wrote.

      but copyright law isn't "viral".

      I can derive no meaning from that phrase. My best-guess rebuttal is that yes, if the code was GPL'ed and they release it, then they are legally obligated to release the source to the whole program under the terms of the GPL. They may refuse; they may also go on a murderous rampage, slaughtering all in their path. But not legally.

      (I admit it, I posted this reply just for the last mental image.)

  4. How do you know it was stolen? by cperciva · · Score: 3, Insightful

    This might be a dumb question, but how do you know the code was stolen? Maybe he just decided to stick a license at the top of some code he wrote in order to confuse people. Or maybe he wrote the code himself for a different project, and when asked to write the same thing just copied his work across intact.

    There are any number of legal possibilities, and I can't see that they can be simply discarded based on the information provided.

    --
    Tarsnap: Online backups for the truly paranoid
  5. I wrote it by Bald+Wookie · · Score: 3, Funny

    Dont worry. I was the one who wrote it. Just deposit $50,000 in my Paypal account and you can do whatever you want with it.

  6. Grep for it! by phr1 · · Score: 4, Insightful
    Get a big compilation source code CD like the Yggdrasil Internet archives, or even a regular Red Hat source cd. Then run a script which unpacks the zip files as needed, and greps for some sample strings from the code.

    Also, you might paste a few lines into a comment on this thread and see if anyone recognizes it.

  7. Re:Do a different search? by openbear · · Score: 3, Interesting

    Several of us spoke with him before he left and got nowhere. He admitted that he didn't write the code and that he "borrowed it from the Internet". That is all he would tell us. He refused to tell us where he "borrowed" it from. He since left the company, so we can't threaten him with disciplinary actions. The main point of going through this search is 1) for ethical reasons and 2) to make sure that we never hire this guy back as a contractor again.

  8. link to the code. by gonar · · Score: 3, Informative

    http://java.sun.com/j2se/1.4/docs/api/java/net/URL Encoder.html

    --
    The difference between Theory and Practice is greater in Practice than in Theory.
  9. Re:Do a different search? by Mr+Guy · · Score: 3, Insightful

    No no no. YOU don't talk to him. YOUR LAWYER explains where providing illegal services is a breach of contract, and how you will be suing for damages, compounded by the damages to your customers.

    --
    Never confuse volume with power.
  10. Here are two methods ... by openbear · · Score: 3, Informative

    Ok, I thought about it a bit and I think I can post some of the source without violating my NDA. Here are two methods from code that I know is stolen. It is only doing Base 64 encoding and decoding so it is not giving away any company secrets. I removed all comments and package names so it is just the bare code. If anyone can locate the origins please reply to this post. Remember this particular code is dated about two years old. Thanks to all of those who put effort into giving ideas and opinions. I still haven't been able to locate the origins of this code, so if nothing more comes out of this last post then I suppose I will just accept the fact that sometimes sleazy people get away with thievery and walk away without a care. Thanks again.

    public class Base64 {
    public static String encode(String data) {
    int c;
    StringBuffer ret = new StringBuffer();
    try {
    byte[] arr = data.getBytes("iso-8859-1");
    int len = arr.length;
    for (int i = 0; i < len; ++i) {
    c = (arr[i] >> 2) & 0x3f;
    ret.append(cvt.charAt(c));
    c = (arr[i] << 4) & 0x3f;
    if (++i < len)
    c |= (arr[i] >> 4) & 0x3f;
    ret.append(cvt.charAt(c));
    if (i < len) {
    c = (arr[i] << 2) & 0x3f;
    if (++i < len)
    c |= (arr[i] >> 6) & 0x3f;
    ret.append(cvt.charAt(c));
    } else {
    ++i;
    ret.append((char) fillchar);
    }
    if (i < len) {
    c = arr[i] & 0x3f;
    ret.append(cvt.charAt(c));
    } else {
    ret.append((char) fillchar);
    }
    }
    } catch (Exception e) {}
    return(ret.toString());
    }
    public static String decode(String data) {
    int c;
    int c1;
    StringBuffer ret = new StringBuffer();
    byte[] arr = data.getBytes();
    int len = arr.length;
    for (int i = 0; i < len; ++i) {
    c = cvt.indexOf(arr[i]);
    ++i;
    c1 = cvt.indexOf(arr[i]);
    c = ((c << 2) | ((c1 >> 4) & 0x3));
    ret.append((char) c);
    if (++i < len) {
    c = arr[i];
    if (fillchar == c)
    break;
    c = cvt.indexOf((char) c);
    c1 = ((c1 << 4) & 0xf0) | ((c >> 2) & 0xf);
    ret.append((char) c1);
    }
    if (++i < len) {
    c1 = arr[i];
    if (fillchar == c1)
    break;
    c1 = cvt.indexOf((char) c1);
    c = ((c << 6) & 0xc0) | c1;
    ret.append((char) c);
    }
    }
    return(ret.toString());
    }
    private static final int fillchar = '=';
    private static final String cvt = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    + "abcdefghijklmnopqrstuvwxyz"
    + "0123456789+/";
    }

  11. Looks like this is it by Mr.+Fred+Smoothie · · Score: 4, Informative

    http://141.76.120.181/javadoc/acid-javadoc/de/acid / til/Base64.html

    --