Ask Slashdot: How To Work On Source Code Without Having the Source Code?

occamboy writes: Perhaps the ultimate conundrum!

I've taken over a software project in an extremely specialized area that needs remediation in months, so it'll be tough to build an internal team quickly enough. The good news is that there are outside software engineering groups that have exactly the right experience and good reputations. The bad news is that my management is worried about letting source code out of the building. Seems to me that unless I convince the suits otherwise, my options are to:

1) have all contractors work on our premises — a pain for everyone, and they might not want to do it at all

2) have them remote in to virtual desktops running on our premises — much of our software is sub-millisecond-response real-time systems on headless hardware, so they'll need to at least run executables locally, and giving access to executables but not sources seems like it will have challenges. And if the desktop environment goes down, more than a dozen people are frozen waiting for a fix. Also, I'd imagine that if a remote person really wanted the sources, they could video the sources as they scrolls by.

I'll bet there are n better ways to do this, and I'm hoping that there are some smart Slashdotters who'll let me know what they are; please help!

No problem ...

[gstoddart]

I'll bill you at triple my usual rate to pretend to have fixed your code, and you continue to pretend I could have done so without seeing your code.

If you quadruple my rate, I won't even admit to ever have done so.

I think it sounds perfectly equitable.

More seriously, that is what contracts are for. If you can't write a contract and hire people you can trust, you can't accomplish this task. At the end of the day, they'll see your code, and it will enter their brain.

As has been pointed out elsewhere, this is what NDAs with big penalties are for.

Have them work on the premises.

[91degrees]

Speaking as a contractor, I'll work on site if you insist. You're the boss. Provide me with equipment and coffee, and I'll suck it up.

We're whores. We want your money. We don't care if your demands are stupid, as long as we can meet them.

You pretty much covered the options

[enjar]

You can do the onsite thing, but you are right in that you will limit the groups which may be interested, and also you may need to pay more as the group may include the cost of hotel stays, food, etc in their quote for doing the work. So you can limit your potential personnel and it can cost more.

If you do the remote thing, they don't have to log into virtual desktops, they can log into real hardware just as well if performance is an issue.

Also, "I need you to fix my source code but you can't see it" ... that's kind of a paradox.

And regarding your source code, set up a NDA. If the group you contract with is a quality group with a good reputation, this shouldn't be a problem. Actually I hate to break it to your management, but unless you are doing an air gap/search of employees entering a special lab where they have no means of getting the code off (floppies, USB keys, etc), your source code has likely left the building one way or another, for good or ill.

You can also tell your management that if they want to do this all internally, etc that the timeline needs to be extended. They are giving you legitimately contradictory constraints. Not that this is uncommon (constraints conflict all the time), but you need to know where the flexbility is.

Re:You pretty much covered the options

[Tjp($)pjT]

I have done some forensics work in software. The most secure setup was a room with cameras, the computers in a locked box, PS/2 keyboard and mouse with attached cords that go into the locked box, VGA only monitor, and a printer filled with pre-numbered sheets of paper. I emptied all my electronics including watch, no calculator, no phone, etc. Allowed items were a pen/pencil and notepad. I was escorted into the room (roughly 1500 miles from my office) the paper was loaded by the escort. When I wanted to leave the room I pressed a buzzer button. The escort collected the printouts, and the paper supply. briefly looked to see if there were obvious missing pages. They can't see my notepad, and my instructions were to write small, though the cameras were not supposed to see the monitor or desk surface. After their side examined the pages I printed out, they allowed a lawyer to pick up the copies, as I had to review the printouts in the lawyers offices and not personally ever posses them. Under those conditions with a 10 hour work day (8 onsite, 2 writing up the days notes onto a computer at the hotel room) it is amazing how little code can be reviewed in a day. They did allow tools of our choice to be installed on the computers at their expense. And they installed the software versions we said were suspect in source form.

Under these conditions, if you forced them on developers, you'd be paying them what I was paid for forensic investigation, somewhere around $250-300 an hour if you want top quality people. And they will burnout in short order, so keep a queue filled with replacements. I could do that for only short bursts at a time.

Even then, I could have copied the code onto paper line by line. And in some cases did for short segments that showed infringement.

In even the harshest of conditions code can still leak. But your biggest weak point is if your network is not air gapped and you use source code control, keeping the social engineering aspect in check so you aren't hacked. For contractors and employees, only hire ones you trust and depend on NDAs and integrity. And a VPN that is appropriately encrypted is like working in the office. Supply the computers and you can install monitoring software on them, and USB management software to provide gentle no-no-no reminders as they try to work they way they normally would.

Re:An NDA works and makes for Target to sue

[cayenne8]

Hey...sometimes you just gotta work on site.

NDA's are nice...but I've seen them ignored and nothing much could be done about it, unless your company is a BIG one with some powerful attorney's and deep pockets.

So, I'd say the simplest thing would be to have them work on site. Sounds like with the fast timing requirements, it might actually just be better for them to work and test ON the machines that will be running it, to make sure it runs fast enough....?

Re:I suspect you're doomed to failure :(

[gstoddart]

" so it'll be tough to build an internal team quickly enough "

This smells of failure.

It is failure, but it's unrealized failure, and management may not understand how bad of a failure it is. Having a company which no longer employs the resources to fix and maintain their products means someone has already harmed the company beyond easy repair and failed to do anything about it.

If you need this remediated within months, you're probably months past the point where you should have done something about it.

No longer having the skillset to maintain your product means you are so deeply screwed it isn't funny. You're just pretending you still have that product.

So, which is it? They laid off everybody who could do this? Or they pissed off everybody who could do this and they left on their own?

Because, really, if you don't have the internal skills to fix it ... how can you possibly be qualified to evaluate, hire, and oversee the external skills in that impossible timeline?

This is a pretty epic fail ... and in my experience that means management usually dropped the ball along the way. This is like a company making rocket engines suddenly realizing they don't have any rocket scientists.

Re:An NDA works and makes for Target to sue

[jellomizer]

Well more to the point, no matter what happens the damage is done.
Source Code isn't as much of a threat to the organization as it is people who understand what it is doing.

From the sound of the story, it seems like they are doing high-frequency-trading, and if the source is released then competitors can just start up their own competing company, and you loose out on your competitive advantage. However source code is usually minor part of the detail. It is when people understand what is going on and why it does it. Then they can go ahead and make a better version using the principles they learned maintaining your code.

I have worked across a lot of organizations and I never copy the source code to my personal devices, and when I am done with the project I remove whatever I have. However what I learned from working with the code is where I am at an advantage. I find new ways to solve problems, I keep track of it, and flag it in my mind as a better way to approach a problem. I learn and get better. If I were to just take the code and make a competing company, I wouldn't have myself a real advantage, as I may not understand it.

Re:An NDA works and makes for Target to sue

[pla]

NDA's are nice...but I've seen them ignored and nothing much could be done about it, unless your company is a BIG one with some powerful attorney's and deep pockets.

Free hint, corporate America - I don't need the actual code in-hand to walk away with anything actually worth stealing from your code.

The implementation amounts to nothing more than mere documentation, to a skilled programmer. The underlying concepts hold all the value, and once I've seen them, you can't make me un-see them. "Oh, what a cool way to schedule garbage collection without sacrificing soft-realtime I/O responsiveness! I'll have to remember that one!" - Done. Your one jewel-amongst-the-dross just became mine.

So whether enforceable or not, the NDA has a hell of a lot more practical use here, as opposed to trying to control physical access to your preeeciousss source code.

Re:An NDA works and makes for Target to sue

A year later, they had this many downloads of the code: 0.

4,294,967,296 downloads? That's quite impressive!