Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Work On Source Code Without Having the Source Code?

Posted by timothy on from the step-inside-the-invisible-room dept.

occamboy writes: Perhaps the ultimate conundrum!

I've taken over a software project in an extremely specialized area that needs remediation in months, so it'll be tough to build an internal team quickly enough. The good news is that there are outside software engineering groups that have exactly the right experience and good reputations. The bad news is that my management is worried about letting source code out of the building. Seems to me that unless I convince the suits otherwise, my options are to:

1) have all contractors work on our premises — a pain for everyone, and they might not want to do it at all

2) have them remote in to virtual desktops running on our premises — much of our software is sub-millisecond-response real-time systems on headless hardware, so they'll need to at least run executables locally, and giving access to executables but not sources seems like it will have challenges. And if the desktop environment goes down, more than a dozen people are frozen waiting for a fix. Also, I'd imagine that if a remote person really wanted the sources, they could video the sources as they scrolls by.

I'll bet there are n better ways to do this, and I'm hoping that there are some smart Slashdotters who'll let me know what they are; please help!

23 of 234 comments (clear)

  1. An NDA works and makes for Target to sue by Joe_Dragon · · Score: 4, Insightful

    An NDA works and makes for Target to sue if the code gets out.

    1. Re:An NDA works and makes for Target to sue by gstoddart · · Score: 4, Insightful

      It kinda sounds like they are outsourcing to somewhere that they think an NDA will be impossible to enforce, or where the source will be leaked and they won't be able to prove anything due.

      Then .. they're doing it wrong.

      If you think either of those things, why the hell would you hire them? That would be idiotic, if not outright irresponsible.

      --
      Lost at C:>. Found at C.
    2. Re:An NDA works and makes for Target to sue by arth1 · · Score: 4, Insightful

      An NDA works and makes for Target to sue if the code gets out.

      That works great unless the managers look to save money by outsourcing to countries where such lawsuits would go nowhere, and contractor companies disband/reband at the first sign of trouble.

    3. Re:An NDA works and makes for Target to sue by cayenne8 · · Score: 5, Insightful
      Hey...sometimes you just gotta work on site.

      NDA's are nice...but I've seen them ignored and nothing much could be done about it, unless your company is a BIG one with some powerful attorney's and deep pockets.

      So, I'd say the simplest thing would be to have them work on site. Sounds like with the fast timing requirements, it might actually just be better for them to work and test ON the machines that will be running it, to make sure it runs fast enough....?

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    4. Re:An NDA works and makes for Target to sue by Anonymous Coward · · Score: 2, Insightful

      Any remote system you manage to devise will simply allow the source to be stolen anyway.

      Not only will they still be able to steal the source code on a USB stick if you bring them in on site, they will also be plenty of opportunities for them to take a lot more if you don't intend to have one guard standing behind each of them whenever they are there.
      If you don't trust them you can't use them. Not on site and not remotely.

      It is hard to get suits to understand this.
      Outsourcing is the magic black box that solves every problem but they are convinced that the company value is tied to the company name/logotype and not to know-how of the replaceable people that are working for them.

    5. Re:An NDA works and makes for Target to sue by Anonymous Coward · · Score: 4, Insightful

      If someone is willing to ignore your NDA, then they're also willing to walk off with a copy of the code. If you can't trust them, don't hire them.

    6. Re:An NDA works and makes for Target to sue by AmiMoJo · · Score: 3, Insightful

      That would be idiotic, if not outright irresponsible.

      This is management. If it works they saved a load of money and get a nice bonus. If it goes wrong they blame occamboy. It's win-win!

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:An NDA works and makes for Target to sue by ShanghaiBill · · Score: 4, Insightful

      If someone is willing to ignore your NDA, then they're also willing to walk off with a copy of the code.

      This is assuming the source code is actually worth something to someone else. Most companies have a wildly inflated idea of what their code would be worth to a competitor. In general, your competitors have no interest in seeing your crappy code, and are too busy with their own problems.

      I once consulted for a company that decided to "open source" some of their code. There were objections that they were giving away their "crown jewels", but they went ahead and did it. A year later, they had this many downloads of the code: 0.

    8. Re:An NDA works and makes for Target to sue by jellomizer · · Score: 5, Insightful

      Well more to the point, no matter what happens the damage is done.
      Source Code isn't as much of a threat to the organization as it is people who understand what it is doing.

      From the sound of the story, it seems like they are doing high-frequency-trading, and if the source is released then competitors can just start up their own competing company, and you loose out on your competitive advantage. However source code is usually minor part of the detail. It is when people understand what is going on and why it does it. Then they can go ahead and make a better version using the principles they learned maintaining your code.

      I have worked across a lot of organizations and I never copy the source code to my personal devices, and when I am done with the project I remove whatever I have. However what I learned from working with the code is where I am at an advantage. I find new ways to solve problems, I keep track of it, and flag it in my mind as a better way to approach a problem. I learn and get better. If I were to just take the code and make a competing company, I wouldn't have myself a real advantage, as I may not understand it.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    9. Re:An NDA works and makes for Target to sue by pla · · Score: 5, Insightful

      NDA's are nice...but I've seen them ignored and nothing much could be done about it, unless your company is a BIG one with some powerful attorney's and deep pockets.

      Free hint, corporate America - I don't need the actual code in-hand to walk away with anything actually worth stealing from your code.

      The implementation amounts to nothing more than mere documentation, to a skilled programmer. The underlying concepts hold all the value, and once I've seen them, you can't make me un-see them. "Oh, what a cool way to schedule garbage collection without sacrificing soft-realtime I/O responsiveness! I'll have to remember that one!" - Done. Your one jewel-amongst-the-dross just became mine.

      So whether enforceable or not, the NDA has a hell of a lot more practical use here, as opposed to trying to control physical access to your preeeciousss source code.

  2. safe rooms by Anonymous Coward · · Score: 2, Insightful

    one option is allowing them to remote in from designated remote locations to virtual desktop implementations, safe rooms/clean rooms, where cell phones, etc. are not allowed. although there is still the concern of using screen capture software, so provide the computer equipment too, so you can lock down admin rights, software, dlp tools, proxy redirects, and all of the other goodness that can be used to limit the risk. This is one solution used in corporate america

  3. No problem ... by gstoddart · · Score: 5, Insightful

    I'll bill you at triple my usual rate to pretend to have fixed your code, and you continue to pretend I could have done so without seeing your code.

    If you quadruple my rate, I won't even admit to ever have done so.

    I think it sounds perfectly equitable.

    More seriously, that is what contracts are for. If you can't write a contract and hire people you can trust, you can't accomplish this task. At the end of the day, they'll see your code, and it will enter their brain.

    As has been pointed out elsewhere, this is what NDAs with big penalties are for.

    --
    Lost at C:>. Found at C.
  4. Re:Have them work on the premises. by gstoddart · · Score: 4, Insightful

    I mostly agree, except you forgot one thing ... but it will cost you.

    --
    Lost at C:>. Found at C.
  5. I suspect you're doomed to failure :( by tatman · · Score: 4, Insightful

    " so it'll be tough to build an internal team quickly enough "

    This smells of failure. Contractors aren't going to get up to speed any faster than internal resources (sans technology specifics like expertise in a language). Our management tried the same thing: hire contractors for a short term (less than 3 months), hurry up scenario. Except it took a month to interview and get the contractors on site. Much of the 3 months of contractors time was spent to get their environments setup, work with IT to configure permissions and the contractors themselves to learn the complex product enough to contribute. Not to mention the loss of focus of the internal team assisting the the contractors.

    I would spend more effort coming up with a realistic plan that has a chance at success rather than trying to meet a date that is not going to be met. Build a plan that includes a mix of internal an external resources. I would include time to hire contractors (remembering that background checks take time) plus all of the other activities that will consume time away from producing the finished product.

    --
    I've always said English was my second language. Had Romeo and Juliet been written in C, I might have understood it.
    1. Re:I suspect you're doomed to failure :( by gstoddart · · Score: 5, Insightful

      " so it'll be tough to build an internal team quickly enough "

      This smells of failure.

      It is failure, but it's unrealized failure, and management may not understand how bad of a failure it is. Having a company which no longer employs the resources to fix and maintain their products means someone has already harmed the company beyond easy repair and failed to do anything about it.

      If you need this remediated within months, you're probably months past the point where you should have done something about it.

      No longer having the skillset to maintain your product means you are so deeply screwed it isn't funny. You're just pretending you still have that product.

      So, which is it? They laid off everybody who could do this? Or they pissed off everybody who could do this and they left on their own?

      Because, really, if you don't have the internal skills to fix it ... how can you possibly be qualified to evaluate, hire, and oversee the external skills in that impossible timeline?

      This is a pretty epic fail ... and in my experience that means management usually dropped the ball along the way. This is like a company making rocket engines suddenly realizing they don't have any rocket scientists.

      --
      Lost at C:>. Found at C.
    2. Re:I suspect you're doomed to failure :( by Anonymous Coward · · Score: 3, Insightful

      If only someone had done some research on this idea and come up with a simple law for us all to remember, like "Adding manpower to a late software project makes it later."

    3. Re:I suspect you're doomed to failure :( by abies · · Score: 3, Insightful

      Contractors aren't going to get up to speed any faster than internal resources (sans technology specifics like expertise in a language).

      Depends. If he is talking about things like HFT (sub-ms speed and paranoia of employer to share sourcecode), you can get contractors with a lot more that just expertise in language - they know exactly what to code from start till the end, what are common stumbling blocks etc. It is just getting a person to write a http web server, in some alternate world when there are no open source projects and no reliable 3rd part providers. Getting a contractor which has already written 5 web servers for different companies is going to speed you up really a lot.

      Such dynamic is not common in other areas - but in other areas, being few % faster than competitor does not let you earn order of magnitude more money. There is huge negative incentive for companies to share their code and no incentive for contractors to spread/share their knowledge in form of open source, as it can directly cuts into their future profits.

      Said that, it might something else, because:
      - for amount of money you are paid (we are talking 1000+ daily, in whatever currency you happen to like), people are generally willing to relocate, especially for shorter projects, which this one seems to be
      - HFT is not exactly a hot subject right now (and they might be already reasonable off-the-shelf solutions, I'm outside of that for some years now)

  6. Re:Have them work on the premises. by cat_jesus · · Score: 4, Insightful

    Right. As a consultant I will tell you when your requirements are stupid and costly. If you still insist on me working inefficiently it's your dime. I'll happily take more of your money to do it the wrong way and I will make sure my recommendations are clear in the documentation.

  7. Cameras are so, so tiny these days by Medievalist · · Score: 4, Insightful

    You cannot physically enforce security of code sources you are allowing people to see - unless you are going to have them work entirely naked, under constant physical observation, with full body cavity searches every time they enter or leave the workroom.

    Hire someone trustworthy, pay them well, and have them work on-site. That is the path to success. Anything else is almost guaranteed to create the situation you're trying to avoid; paranoia breeds dissent and distrust breeds subterfuge.

  8. Contractors will always come on-site by mveloso · · Score: 3, Insightful

    If you pay them enough, contractors will do the work on-site. It's not a pain, it's SOP.

  9. Can't have your cake and eat it, too. by Drewdad · · Score: 4, Insightful

    You cannot simultaneously keep something secret and share it.

    This question really doesn't make sense... How do you have a highly-valuable source code repository and simultaneously require external developers to modify/maintain it? How was the code developed initially? Did you have contractors develop it initially, and then have some kind of falling out? Did you have a mass walkout of your staff?

  10. Document the costs and benefits, management decide by raymorris · · Score: 4, Insightful

    Maybe the cost to have people work on-site is worth it, maybe not. Management said they wanted to keep the code on-site, and management wants to manage costs. Management can decide whether working on-site is important enough to them that they want to spend the additional money, after you tell them how much it will cost them.

    So estimate the costs for each option, then let management decide - do they want to spend three times as much to have people on-site, given that there is little to no benefit? Are they happy with remote desktop, given the costs? Let management decide their own priorities.

  11. Convince Management by firewrought · · Score: 3, Insightful

    I don't know your situation. I assume it's not the military-espionage sector but something more akin to HFT or something esoteric in the manufacturing segment.

    The raw truth is that it's very, very hard to prevent data exfiltration by a competent software developer who has adequate tools/access for his job. At the same time, it's very, very easy to hamstring a competent software developer and thereby torpedo their time-efficiency. If you're really worried, start with the "edges"--thing like NDA's, copyright/patent agreements, and background/credit checks--stuff that doesn't interfere with day-to-day work. Anything beyond that (change management, device restrictions, copyright headers in source code, etc.) should be more about avoiding sloppiness than about avoiding malice.

    The other raw truth is that management frequently believes their software to be more valuable than it actually is. Frequently, the software that it cost you a fortune to build would be nigh worthless to a competitor because integration, customization, and data conversion would make it extremely unattractive compared to improving their own in-house product or buying a commercial product where the vendor is used to making customizations. (Much better in some cases to give your software away [if not open source it]: there are probably a lot of missed opportunities for companies to make their toolset the de facto standard for an industry, reaping money or market influence in the process.) Ask your management to imagine receiving an offer for an illicit copy of their competitor's code. Would they be willing to risk it? My guess is that they'll say "no", and you might want to start job hunting if they say "yes".

    Finally, of your two proposals, only onsite work sounds viable. Standing up a fussy/novel telecommuting scheme is sure to frustrate developers [perhaps challenging them to deliberately thwart the system when they wouldn't have given it a thought otherwise]. Moreover, if anything goes wrong [which is very likely], it's your headache and your fault. Don't even mention option (2)... it's just a creative way to get yourself fired. Provide management with option (1) only: if contractors refuse to work onsite, management can think a little bit harder about what their real needs are... updates to the product or [illusionary] control of the source code.

    --
    -1, Too Many Layers Of Abstraction