Is Mondo open source


(Mitar) #1

Is Mondo’s code open source? Both apps and server-side/API components. Simply everything. I think this would definitely be something which is aligned with the ethical bank.

I think it is important for users to see and understand what apps and a bank is doing in their name. Especially if the bank is digital only. The code is what is the bank. So knowing what is this code is important.

Moreover, open source is known to be important for security of the code. Prominent security researchers simply see this as non-brainier.

Furthermore, code does not have to be made as “open source project”. You just open it, so that others can see it. And you can clearly mark it that you are not really accepting contributions and offering support for it. That code is there so that others can check it, for transparency. That you will accept contributions maybe in future, when there will be enough resources to support that.


#2

I’m not sure how I feel about this. On one hand, more eyes on the code means that bugs could be identified quickly, but that’s the problem, if someone finds a possible hole, and doesn’t ethically report it, that could cause serious problems since this is a bank. Also this means Mondo gives up everything to its competitors and people can just rip it off.


(MikeF) #3

Personally, I’m against this idea for exactly those reasons.


(Josh Bray) #4

I don’t think the FCA and BOE would really approve of this due to security concerns


(Mitar) #5

Those are a very common issues people raise. There is probably so much written online about this that I cannot probably write much better. :slight_smile:

But, the point is that bugs are found even when code is closed source. Many companies have bug hunting programs. Why? Because people find bugs anyway. Even if code is closed source. And the issue is that they have to incentivize people to disclose them to the company, instead of misusing them for their own personal gain.

So closing code does not improve security. Read the article I linked in the original post.

What opening code does is improve transparency. It invites audits. Researchers can use their tools and run on your code. I think that more ethical people are then willing to spend time trying to find bugs in your code than if it is closed. But for me the most important thing is that it is ethical. I want to know what is happening to my money. I am invested in my money. So it is also important that maybe I will go and try to check for bugs. Especially if it is easy for me to check the code. And if it is open source, more of such people will do that. Because we more care about the bank and our money than some gains.

Even if you find a bug and gain money, you can still be prosecuted. And Mondo should anyway have multiple layers of security so that it is hard to do anything without good tracing of who did it. You can have multiple systems working to achieve this. So even if the bug is one system the other can at least know who did it.

About competitors. I think Mondo can attest to the fact that running a bank is much more than just code. It is customer development, regulations you have to handle, capital you need, and so on. Moreover, you can always just make code visible, but not really allow anyone to reuse it. So it is not open source, but public source.


(Dan) #6

I can’t see this happening to be honest.

As much as I agree with a lot of your points, as a digital bank, one of Mondo’s most precious assets is its code - their competitors would gain an enormous advantage by seeing and/or copying this.


(Mitar) #7

I think you are overvaluing the code. :slight_smile: Competitors cannot just come and take the code. Technically it often does not work like that.

And even if they decide to invest engineering resources to integrate 3rd party code with their existing systems, when they do that, you sue them because they breaching the license under which you put the code out (for example, you could have a clause saying that they should not use the code in banking areas where you are also active, so an anti-competing clause, or you could have simply that nobody can use the code, they can just see the code).

And if they do this in country with bad IP protection laws, you do not really care, because you are not doing business there anyway.


(James Billingham) #8

Those restrictions would, by definition, make the code not open source.


(Mitar) #9

That is question of definitions. You have many various things like OSI, FSF, and so on. I think just making “public source” would already be a good enough step. And then moving to full OSI or FSF could be done later.

For example, AGPL license might also be what would limit competitors to just copy stuff. Because if they would copy stuff, they would have to make also their own code all AGPL. So it is a different way to achieve that competitors cannot really just take the code and run with it. But they have to contribute back. So another ethical bank who would like to do something similar in some other country might do it and work together with Mondo for better of both banks.


(Dan) #10

I’m not overvaluing the code. Mondo is spending a heck of a lot of money on developer resources.

And obviously I’m not talking about a copy and paste situation, I understand the licensing. But we live in the real world, and the point of having it open source in the first place, is allowing all to see the inner workings.

Researching the best methods to solve a problem, and fixing the extra difficult bugs (which can sometimes take weeks, even months) and publishing your work does give your competitions an advantage. No matter how far ahead you are - the catch up process is easy.

Open source is powerful, there is no denying that, but some things should be closed source, the world depends, in my opinion, of a mix of both. And as a startup, trying to race ahead to be first, I don’t think making your only products secrets public knowledge is a good business decision.


(simon) #11

Ok, Story time… In the early days of Mondo, i had the honour of hosting RMS at my house for a week and we spoke a lot about this. RMS, Richard Stallman, is the founder of the Free Software Foundation and the GNU project.
When you use Linux, you’re actually using the GNU operating system, with a Linux kernel. Some people prefer to call Linux GNU/Linux. RMS also wrote Emacs, one of the first programmers editors (although i’m a VI man myself…)

Anyway, We spoke lots about Opensource and Freedom and what it would mean for Mondo. Open Source software and Free software overlap, but not totally. Software can be Opensource and Not Free (e.g. Microsoft has opensource software, but you have to agree not to modify it…)

Free software can also be Closed Source… For us, Mondo’s source code IS free software.

We’re free to modify it and use it as we like. Since we’re not asking you to run it on your computer we’re not taking away your freedom.

As pointed out above, opensourcing our core banking system wouldn’t make sense from a business or security stand point, but we will opensource a lot of our core libraries, probably under BSD type licences.

There is one area where we’re not free, that is when we ask you to run closed source, non-free client software on your mobile device. Right now our IOS apps and Android Apps are non-free. I personally feel ok with this. When you buy one of these devices you’re buying into the idea of a closed eco system with enhanced security coming from the strict identification of, and vetting of developers (that’s why it takes us a few days to get an app into the app store…).

Opensourcing our IOS and especially Android clients would also lead to copy-cat apps popping up rapidly that are exact clones, but have money stealing back doors :frowning:

By having an open API, we give you the option to bank with us and use only Free software, and i’m sure the community will build many amazing client tools that are free.

Simon


(Mitar) #12

I really do not understand where this idea that closed source increases security? There is no computer security researcher I know of which would claim something like this. I linked above to the blog post of one of most prominent computer security researcher who is talking about this more.

Again: closed source decreases security. The only reason why you want to close source something can be because of the business decision, not security decision. And the reason why you want to open source something or free software something publicly is for ethics decision. And Mondo is claiming to be an ethics-based bank.


(James Billingham) #13

Open source does not increase security by itself though.


(simon) #14

(Some opinions here, want to be clear these are mine, and others in Mondo may disagree)

Totally agree… that’s one of our motivators for wanting to opensource a lot of our core libraries, and why we use opensource (and FOSS) tools like Nginx and Cassandra (and many many more).

On one hand we would love to Open Source as much as possible to get the benefits of Many Eyes helping us find issues before they become issues… On the other hand, a lot of our Core (server) software would only be useful to people who want to run a UK Retail Current Account bank, and would hence, be competitors of us. (so it’s a business decision.)

On the Client (Android/IOS) side we’d get the benefits of Many Eyes (again,) and potentially foster a useful community of people customising/improving the client apps, but at the risk of Copy Cat apps that are exact clones, but have had back doors put in them…

Fraud and malfeasance are huge drains on society. If everyone was nice, and financial computer crime wasn’t a thing, then we’d totally open our client apps i think.


(Mitar) #15

I can agree that some hard-code computer science-based services might want to keep their secret sauce closed source. I can understand for example that Google is keeping their search engine algorithm hidden.

But for banking I do not really see many such cases. It is mostly business logic for various features. Displaying user interfaces, what happens on various API commands, making sure regulatory things are followed, logging, auditing, and so on. So the code like this is hard to make right, but it is not something one would go to a competitor and try to steal. Because it is pretty reasonable what has to be done. It is just hard to do it and a lot of work.

In banking, examples of such algorithms would probably be those who determine if somebody can get a loan or not. Those might be reasonable to keep hidden.

But client-side code and other common features, would this really be stolen? If you would see how Facebook messenger code is done, would you copy or use that information in your messaging client? Probably not.

About copy-cat apps, I think this is a valid point, but you will have to resolve that anyway. How to assure that users are assured that they are using the real app?

On the other hand, what if I do want to use your app, but with a small change for myself? No backdoor, but I want to change it for my personal use case. I can create whole new app from scratch using your API, or I could just fork your app and use it. This freedom is what GPL is about. And you can talk to RMS and ask him: do you think users should be able to modify our client apps? Guess what he will answer?


(Josh Bray) #16

I’d say one of the main issues is around competition law. Revealing internal information to competitors that could give them an advantage is against the law.


(Mitar) #17

I have never heard of this? Really? Can you direct me please to a law which describes this?


(Josh Bray) #18

Sure it only applies to certain industries and banking is one of them. We aren’t allowed to share internal information. Not allowed to share information which could lead to fixing or unfair competition or advantage. Essentially if you do something that can be seen to remove competition, youre breaking the law
http://www.out-law.com/en/topics/eu--competition/competition/competition-law---the-basics/


(Mitar) #19

Oh, yes. But the purpose of those laws is that banks cannot collude together, not that a competitor uses information for their advantage, no? I also do not think code would be seen as such information sharing for the purpose of this law.

But it is an interesting issue nevertheless.


(Josh Bray) #20

It can be seen as it. If mondo reveals code that is their main feature. It can be seen as removing competition. So it would be against the law. Banks have to be really careful. I’m just worried how mondo will cope with the regulator’s breathing down their necks