Well, that didn’t last long. It had only been a day since the U.S. media had reported the emergence of the Source Code Club, a Web-based firm offering to sell what it claimed were the keys to several well-known software platforms. The costs were out of my price range — in the tens of thousands of
dollars — but I figured I would at least peruse the site and take some guesses at its credibility.
A day later, the site was shut down. Guess if you want to visit the black market, you’ve got to move faster than I did. The Source Code Club admitted that selling corporate secrets is “”very tricky”” and will resurface in a way that will ease customers’ fears about being caught. The company has already said it will evade police by using e-mail drops and encryption (now there’s a case study I’d like to read) and that if authorities try to shut it down, it will simply set up new ones or move onto mailing lists. Like spam, viruses and other IT evils, the Source Code Club would behave like energy — it can’t be destroyed, it simply mutates into something else.
Stolen source code may be something of a niche market, but it could be a very lucrative one. Whatever happens to the Source Code Club, it’s worth thinking about why the conditions were right for its birth and evaluating its long-term prospects.
The emergence of a Web-based economy forces us to rethink black market activity. Despite the dominance of the U.S., the software industry has no borders. The FBI is reportedly on the Source Code Club case already, but it may require more help than it realizes.
In general, the sophistication of this particular crime may be well beyond even the most effective “”bureaucratic machinery”” of any law enforcement agency.
The software industry has long been so proprietary that you could almost understand a movement to rebel against those constraints, except that we’ve already had one, in the form of open source. Clearly there can be little chance of a successful black market in Linux products, which may reinforce the value of open source as a more secure way of doing business. Already this year we have seen stories of source code theft at Microsoft, Cisco and Alta Vista, and only in one case has an arrest been made.
The health of a source code black market will also be influenced by the quality of the goods. In this case, Source Code Club had reportedly two primary assets: a version of Enterasys Network’s Dragon intrusion detection system and Napster’s client and server software. If these were older versions, as was rumoured, would they be worth the price? If they weren’t, clients would be left with scant compensation for the level of risk to which they had exposed themselves. Honour among thieves is no substitute for due diligence.
Source Code Club is one of the first but will probably not be the last to experiment with such an unusual business model. As with any other part of the economy, they will exist and flourish only so long as there is demand.
As for their prospective clientele, they should remember that you only get what you pay for.