I saw in the news that there’ve been two cases lately of programmers stealing source code on the way out the door from their employers, presumably to use at their next job.  In both cases the code was for financial companies’ high-speed trading systems.

Let’s acknowledge that high-speed trading systems are more complicated than, say, a content management system.  I hope they are anyway, though recent market activity makes me doubt that sometimes.  Anyway, the algorithms are complicated, probably convoluted, hopefully rigorously tested, and they contain key competitive information that other companies would probably want to take a look at.  It’s valuable stuff.

That said, if a programmer doesn’t know how his systems work, he’s probably not worth the $1.13 million salary the new company was offering him (note to self: I’m in the wrong market, clearly.)  Let’s assume that the new company wasn’t simply out to buy a copy of a competitor’s source code – they obviously wanted someone with experience in these matters, and knew they’d be getting some insider knowledge in the bargain whether it was ever talked about or not, but I’m willing to assume they knew they were hiring an expert in a certain subject area.

Of course, if you’re an expert, you probably don’t need to copy source code.

Here’s the thing: a good programmer is always thinking about how he’d do things better if he had a chance to do it again.  A good programmer also knows how to evaluate build versus buy, and can resist the lure of not invented here system, but ultimately if you’re paying someone a premium for what’s in their head, it’s what’s in their head that you’re paying for.  Yes, that’s circular, but it’s not about what notes or code they can swipe on the way out, and if your business needs that information to stay competitive, there’s a problem.

I’m not advocating open-sourcing competitive assets here, but the reality is that, for most businesses, most of the value in keeping your code secret is to create a (mild) barrier to entry for competitors.

I realize this argument would be easier to make if the code was for something where a few less dollars were involved and the competition wasn’t so fierce, and there are probably people reading who can make a case for industrial espionage at that level, but speaking as a former developer, assuming you’re going from one company to another who both have successful systems already in place (so we’re not talking about ramp-up costs,) the value of that code (assuming it’s not what you’re actually being paid to bring over) is a lot less than you realize, and if it’s not, you need to rethink your salary expectations.

From the latest Canadian Business: The secret shipping news: Intelligence services use import manifests to help clients identify consumer trends and keep track of rival products. Briefly, it’s often possible to learn key strategic information about a company from its shipping manifests, which can be found through US Customs declarations or companies like Import Genius, which can provide you with a searchable database for as little as $99/month.

From this, I can learn even more about the companies in question: their logistics executives are probably in their 50s or older and have no kids.  Or at least they don’t follow Batman’s adventures.

I’m sure it’s come up in the comics more than once, but can I recall an episode of Batman: The Animated Series from 1993 called The Mechanic where exotic car part orders were traced to deduce who was supplying Batman with service for his Batmobile. Hell, didn’t this even come up in the Dark Knight movie where that accountant found some irregularities?

How hard is it for big companies to create shell companies that move their stuff around?  I know if I had an on-site legal team, the first thing I’d do every morning would be to send them a list of company names I wanted registered for future nefarious purposes.  True, if I were CEO you could deduce most of my activities by searching for companies with the words “pants” and “donkey” in their names, but I’m not CEO of anything at the moment, for reasons that escape me.

It’s settled then: big companies need to hire a comics writer if they’re serious about security. As long as it’s not a writer for Superman, that is. I mean, “wear glasses” probably isn’t the be all and end all to privacy protection.

I’ve had this in my reader’s open tabs for over a month now – totally old news, but they found out that people were able to tap into the video feed from U.S. Predator drones using software that costs around $25.

And yes, it’s in my browser because there’s a part of me that wants to check out this software.  Maybe it has a free demo period so I can try it out.  Because hey, wouldn’t it be cool to see what the local Predator drones are seeing?

I just never got around to it.  Which is probably just as well – I mean, what are the odds I’d find a live feed of a Predator in downtown Toronto, and what exactly would my reaction be if I found one?

Back when I developed ticketing software for events, the clients would complain that I made the ticket ID too long.  I feel vindicated today.

Via a post to the Torcamp mailing list (from Stephen, last name left out to give some semblence of after-the-fact privacy,) I found out about an email campaign being run for Primus Canada.  It’s got all those slick bits that marketers love: you get a personalized link that shows a video WITH YOUR NAME IN IT!  Wow!  And better still, you get to send customized videos to your friends! Viral wow!

The only real problem here is that instead of using, say, a GUID or some other really big identifier in the personalized URLs, the company used an integer. A few quick tests confirm that it’s a sequential integer.

Let’s spell this out: Primus has provided their customer list of names and emails to anyone who can edit a URL.

So what’s the exposure? In about 3 minutes of entering higher and lower IDs in the URL, I found a consecutive range of about 144, 657 IDs.  I didn’t try every number in that range (you can be sure some scrapers are doing that right now, somewhere on the internet) but given the overall naivete of the URL scheme I’m guessing the range is unbroken.

What’s more, it’s highly possible that there are other ranges in there from other database loads.

Picking an arbitrary starting number for your consecutive number range is not a realistic security measure.  In my ticketing days mentioned above, the exposure would have been counterfeit tickets which might or might not have been caught at the gate (there were secondary measures like the customer’s name on the ticket matching the scan.)  Here, I can pretty much guarantee that a lot of Primus customers just got added to a bunch of spam lists.

So, for developers out there (or marketers with half a brain that want to test their dev team), what’s a better way to do this?  As I suggested, a GUID would work better – it’s a really big number that’s harder to guess, but not impossible, and the more names in your database, the more hits, so I’d add the customer’s actual email address (or a tokenized version of it) to the URL as well – this is an email campaign, and it’s not like people will be typing these URLs in anyway, so there’s not much harm in making them bigger. The email token’s probably overkill, but this way the only way an attacker is going to see the email address is to know it in the first place.

Oh, and added bonus: if you view the source of the landing page there’s a link to the privacy policy and the terms and conditions. They’re commented out.

Update: Andrew Loius has even more gory details over here.

Update 2: The site’s been pulled (like, hard down, 404 not found, Gordon Ramsey style “shut it down.”)  Hopefully they’ll resolve this properly and recover somehow; it’s not a bad campaign, just an unfortunate deployment.

OK, so captchas (I suppose I should capitalize that, but too… darned… lazy) exist to detect that you’re a real human and not some script that’s up to no good.

But… What if you’re a human who’s being used by script that’s up to no good?

Via Seth: someone’s come up with an app that makes you enter captcha information to see a strip tease, but rather than generate the captchas itself, the program just grabs them from a convenient place, like Yahoo Mail, and then it uses your answers to gain entry into the captcha-protected site.

It’s one of those things that you’re amazed nobody’s thought of sooner.

Coincidentally, I was trying to implement a captcha on a form the other day.  Rather than reinvent the wheel, I went with CMU’s reCAPTCHA project, which also uses your input, but in this case it’s to help digitize books.