• boaz

Why Open-Sourcing your Bank is not the best idea

Open Source is amazing, combined with the open nature of the internet, where everything is accessible, it drives an amazing force into the developer’s community, developing ideas has never been easier. You just get the on latest github repository, download the source code, try it and voila! It is working.

Well while the fantasy is amazing, and partially true, it really was never easier to build a new product, you need less developers, there is an abundance of knowledge and experience, usually more than you need and some that will mislead you.

The thing is that if the project is very successful, with a vibrant community, they will not give you access to the source code in a way that you will be able to support, fork and build your own project out of that easily . And if the project is less successful and less maintained, than you will have to invest significant resources in building an enterprise grade and customer ready product.

If the nature of your project is a PoC, testing a new technology, or shared research, then definitely open source will be providing you with amazing resources to be shared and used to evolve your research further.

“Just fork another project”

Well after reviewing several dozen projects for a specific product we have been working on, our kesem wallet (www.kesem.io). We found none that meet our criteria. On one hand this is good news because no one is building the same thing, on the other hand, maybe it meant that our criteria was not so good?

So we double checked our criteria, and we narrowed down to several projects, for example we looked at mycelium which is a known,respectable project, the project for iOS has not been maintained in recent years but we thought we could use it anyway, we added multisig support, but we found it not to be a good fit for our project.

So we tried another, we looked at Bitpay, which later we found out it is a good thing we didn't use because it was hacked: “https://cryptodaily.co.uk/2018/11/popular-bitpay-wallet-hacked-private-keys”, another incident that happened in the last few weeks, causing a loss of over USD1M to users of electrum wallet: https://www.reddit.com/r/CryptoCurrency/comments/a9yji3/electrum_wallet_hacked_200_btc_stolen_so_far, though this is considered a phishing campaign, it is highly reliant on the open source nature of Electrum wallet.

There is a common belief (A wrong common belief) that if you open source your code, it can be trusted as it will be peer reviewed and the malwares and security issues will be fixed by the community. Not only it is not true, but if we look at open vs closed source environments we can see clearly that open source environments have significantly more malware and vulnerabilities vs closed source, see later for references supporting this claim.

There are other, security related disadvantages for open source, when anyone can peer review your code, that allows to hackers do the same, anonymously, find a vulnerability and exploit it, see research done by zimperium team where they methodically researched android code to find an exploit: https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/

To do the same on iOS is rather hard as (most of) the code is closed. Yes there’s a level of trust and there is a good case around why you should be publishing how you are doing what you say you are doing, while also providing a way to a 3rd party to review that.

A Report on 2017 malware by Kaspersky : https://securelist.com/mobile-malware-review-2017/84139/ says 43 million malware attacks have been aunched on android users. A comparison analysis between iOS and android shows that iOS has around 50% of vulnerabilities compared with Android for the same period in 2018.

In no way am I saying that there is no place for open source, as a Programmer for the past 30 years (Yup, I’m that experienced :-)) I must say that it is amazing what can be accomplished today with github and python, things that you needed significant funding and resources some 10 years ago are now very easy and fast to try.

Blockchain and Bitcoin is Secured so why Billions of cryptocurrencies are stolen?

Imagine your bank would be using open source projects for its infrastructure, soon the banking trojans will be infected and integrated into future versions of the source code. Malicious developers will be putting backdoors and altering sources, creating phishing campaigns in multitude of ways.

This is the current situation with Blockchain and Bitcoin Based wallets.

Kesem.io is building a secure mobile platform for blockchain assets to enable the next generation of banking.


© 2018 by Kesem.io