How would it be seen as removing competition?
Sharing your source code is anything but removing competition. Is it far from anti-competitive.
I guess that because another bank could copy key features it would result in less differentiation between brands -> more similar products = less competition?
Yup. The regulator’s are very picky about this law.
Less differentiation doesn’t result in less competition.
More products does result in more competition, though - regardless of how similar they are.
If anything, having so little differentiation will encourage companies to differentiate themselves, creating competition.
What is illegal and anticompetitive, is exactly what @Jkb114 linked, price fixing and the likes. I don’t see how sharing code would be seen as anticompetitive, personally.
I’d actually suggest it’s not anything like as clear cut as you think in terms of closed source immediately leading to less secure software. It very much depends on a wide range of factors and the attackers at hand.
In the example of mobile client software (ironically the one area Mondo stated up thread that is closed source), I’d say that you might as well open source it as the client software is downloaded and run on a device managed by the user, so the attacker can easily get access to the source code. In particular for android, Java code is generally pretty straight forward to decompile (if we wanted to get technical we could talk about obfuscation tools and the like but in principle I think the idea of code on a machine you don’t own == attacker can view the code, holds)
For me it’s definitely not the same for server-side code (so for Mondo, things like their go Micro services). As a pentester if I can get the code it makes my life in attacking it much much easier. I can trace bugs I can find potential vulnerabilities without having to send any requests to the server etc etc, so releasing that as open source presents a risk.
Now there is an argument that “hey the bad guys will find the vulns anyway”. Sure but a major principle of security is “make the bad guys work as hard as possible” as it gives the defender more chances to catch them at it and react to the attack. If you make an attacker send 1000’s of requests to fuzz web services, you get 1000’s of chances to detect the attack and react to it, which as a defender is very valuable.
Also the other likely security reason for open sourcing which is provided “many eyes makes all bugs shallow” is well… very rarely true in practice… for excellent examples of why it’s not true, look at Heartbleed and shellshock. Both vulnerabiilties in very heavily used open source components that lay for years without being discovered …
4 Likes
I imagine Mondo will go the way of Airbnb, and ultimately open source some of their periphery tooling but not the main banking functions, a la http://airbnb.io/projects/
This “pieces, but not the whole” works for a lot of companies.
Some sources:
(I tried to add more sources to this, but got the ridiculous “sorry new users can only post 2 links in an article”)
I know this was years ago, so I’d love it if, but I’m not hopeful that, Monzo’s attitude to Open Source might have changed.
This was such a painful thread to read. Yes, it’s unthinkable that a regular bank would open-source their code, in the same way that it’s unfortunately unthinkable that they would have reduced transaction time if they hadn’t been forced to, or that they would use standard 2-factor authentication methods. The banking sector have various delusions:
- firstly their security needs are different from (greater than?) the rest of the tech industry, and so they need different methods
- secondly that their use cases are legitimately so much more complicated, so they can’t possibly use the same tools and practices as the rest of software
One of the reasons I and many others love Monzo is it’s supposed to be the antidote to these ways of thinking. It’s supposed to be modern.
Security
So it’s so disappointing to see people advocating for the same misguided security through obscurity methods. Aside from the basic fact of people being able to read your code to help you find bugs, there’s an important psychological component to this: In security, you should be extremely deliberate about knowing what your secrets and your walled gardens are - your private keys & passwords, your firewalled local domains, your DMZs. When you rely on security through obscurity, people end up being incredibly fuzzy about where their secrets or vulnerabilities are: You can commit sensitive information to your central repository because it’s not open; you don’t have to worry about solving a security problem in a hacky way right now 'cos no-one can see it.
The fact is, zero-day vulnerabilities in closed-source programs can and often have remained unfixed for years and years. There is nothing like the vibrancy of the open-source security community keeping everyone honest, and pointing out issues in your security logic.
It’s hard to prove absolutely empirically that closed-source software is less secure, because you just don’t know what you don’t know in terms of how many zero-day vulnerabilities for closed-source systems are out there, and how many of them would have been different if it was open source, but from all the myriad serious problems we’ve seen in Windows vs Linux, Internet Explorer vs Firefox, even negative stories like the way Heartbleed in OpenSSL was handled, it seems absolutely clear to me that open source software is ultimately way more secure than closed source software. There is a general consensus in the security community that open source software is probably more secure, with some evidence.
Business case
The other part of this is about business risk, and again, I think the arguments made here are somewhat misguided.
I completely agree with @mitar that what’s happening here is that the code is being massively overvalued.
The first thing is, people probably won’t steal your code. I work in open source and look at open source code all day long. It’s incredibly difficult to simply lift and use anything wholesale. Very occasionally I can inspect others’ code to see how they solved a problem, but even then it’s never a perfect solution for my use-case.
Even if I literally did want to replicate Mondo wholesale, I didn’t have any different business requirements, I would still need an exact equivalent team of developers with the same skills and the same processes to even put the thing together right. It’s incredibly hard and slow to work on other people’s code that you had no hand in writing, which is why developers have a strong tendency to try to write code from scratch even where very good quality code exists for them to copy.
The fact is, the code is the least important part of all this. Once I’ve seen you solve a problem I really don’t need to see your code - there is plenty of research showing that students will declare a problem impossible to solve, then when shown that it is in fact possible, can then solve it amazingly quickly. Once I’ve seen Monzo achieve something, I can probably come up with a way of solving it that’s better than how your code did it, because it’s been proved to me that it’s possible, and I can see the broad shape of how you did it, so I can iterate on it.
The things that are valuable and unique to Monzo are the concepts of new ways to handle banking, the elegant designs that solve those problems simply for users, and the team of people who have built ways of interacting with each other allowing them to continue to solve new problems just as elegantly.
Everything here apart from the Monzo employees can and will be copied and built upon by competitors, but opening up your code will hardly help them - they’re very unlikely to copy it. The only thing stopping them is licensing, copyright and patents. But to the extent that Monzo are unable to stop competitors copying them, it’s actually only a good thing for humanity - the banking tech moves forward, led by Monzo.
Cases where the code actually matters are only where you’re solving a really difficult mathematical or logical problem in a completely new way (a new search algorithm for finding data faster, a new compression algorithm that could revolutionize communication like the fictional one in the show Silicon Valley, a new NP-complete problem foe enhanced security). Even in these cases, others will likely solve them very fast as soon as they’ve seen it’s possible. Also, in most cases, it’s almost unconscionable to keep these new solutions secret - they should be contributed towards the benefit of all mankind. The most famous case of this sort of business-case closedness is probably Google’s search algorithm, but again I would say them continuing to keep it secret at this point - where that algorithm defines how much of the world finds information - is also pretty damn unethical.
1 Like
Curious, why are you posting this on a 3yr old thread?
4 Likes
What’s your primary motivation for advocating open sourcing their code? Confidence in their ability to deliver a secure product? Or would you actually intend to use the code in some way?
Because it is still relevant?
2 Likes
Aye? Mondo? Aye? 
Should I have started a new thread? I could do that. But as @mitar says, sure the name has changed, but the question of whether it’s open source is unresolved.
I have absolutely no interest in copying the code.
I believe that being open is an important moral imperative for all honest organisations. In our increasingly opaque & scripted world, where our lives are governed by complex algorithms usually outside our view and beyond our understanding it’s especially important to try to provide a little transparency over how you are, in this case, processing people’s financial lives.
Open source allows, if not your actual users, then at least a few well-meaning researchers or community activists to see how you’re treating people’s data, financial and otherwise.
I mentioned how Google is covertly tailoring and filtering what information most of the world is able to find with their search algorithm. Monzo is obviously less significant, purely because of their size, but similarly the decisions they make in code matter to people and people deserve to see them. From how interest or charges are applied, to which contacts appear first in their contacts list, open source is the ethical choice.
1 Like
And to many people, open source = hackable.
For every ‘well-meaning researcher’ there is a rogue agent after all.
Ethics over security I think, and given this is people’s finances (not the search histories which are still as valuable but not as directly impactful), I’m happy for my banking application to run on non-open source software.
Did you read my original post? Security is simply not a valid argument against open source.
I don’t know where you’re getting your information, but “open source = hackable” is simply incorrect, and probably dangerous thinking. No serious security expert that I’m aware of actually thinks open source is less secure, and most of them think it’s more secure.
1 Like
I didn’t say ‘security expert’. And I did read your original post.
Let me rephrase.
“Hey, Mrs Random person I’ve stopped in the street, did you know that your bank, Monzo, lets people look at the code for their software and that they can try and break it if they want?”
For most people, even with only a passing interest in computers, that does not sound secure. And most people want security when it comes to their bank.
Hence why I don’t think this is a great idea for Monzo to pursue.
I’m more than familiar with open source software and the ideas behind why it is a good thing, but the majority of the customers of Monzo are unlikely to agree with your world view on this.
IMO.
P.S. Not gonna respond again, this is a small matter of curiosity to me, but aware that it is a lot more of that to others, I’ll let those people discuss it if they wish. have fun.
It doesn’t make any sense to open source from business point. Monzo worked hard to build their whole stack from zero. If they open source they are going to loose competitive advantage.
I do think it make sense to open source certain component for benefits of the community. Which they already do https://github.com/monzo
2 Likes
What? You think other banks will copy their code? That is why they could license their code under AGPL and then that bank would also have to provide code back. How exactly would they loose competitive advantage in any of those scenarios.
I think it would be exactly the opposite, they would have the advantage because they would be open source.
1 Like