A little note on ethics

A few months ago, we floated a topic about trojan horses and passwords in programs. Consider this little gem:

A customer called, asking if there was any way to bypass the password in one of our PLCs. Apparently, the guy who wrote the program for dozens of machines took the source code with him when he "left the company." All of the installed units are password protected. You can't get the program out, and they have no source code to dump in if they clear the memory. Right now, they're trying all the password combinations, one at a time in order to recover the source code.

Hi,

My personal opinion is that passwords are for protecting the device from being tampered with and that all documentation/backups are the responsibility of the developer/technician to be maintained in a secure place.
Anyone who would make a system depend on their presence is not only unethical but shows a great deal of insecurity, likely deserved.
The only way to truly have job security is by writing programs that can be troubleshot, updated, downloaded etc. by any qualified person who comes behind. This person will always have work.
Also a sign of a good tech is one that is proud enough to sign his work.

IMHO,

Brian Silver
Electronic Tech/Industrial Electrician,
Lafarge Canada,
Bath,Ontario,Canada

akeel,

Your customer need to make two phone calls, 1 a lawyer, 2 the local cops, maybe the FBI. A crime has been commited. The source code belongs to the owner who paid for it, and not the tech who wrote it. In this country USA these guys can be dragged infront af a judge and made to pay for their crimes (financially, and punitivly). Take legal action now! This is theft just like stealing a car, of slashing it's tires. There is no difference!

Just to throw a little spin into the discussion, actually it depends on how the contract is worded. Copyright remains with the developer usually unless it is specified in the contract. This is classified as intellectual property. So... It all depends on how much they really want and need the original source. This can apply even if he was a true employee of the company, although in this case the company has a much better chance of obtaining such material as most times the company owns any intellectual materials produced by said individual during the time of employment and sometimes for some specified period afterward as well.

Not for nothing but I would think the source code belongs to the company that provided it. Whether the customer owns it or has an exclusive or non-exclusive right to use or modify it would depend on what agreement the company has with the customer. I would think the customer has a right to a backup copy. Employees come and go. Doesn't the company have a system in place to protect their property?

Unless the application is a safety issue (eg Pils PSS, S7-F or similar, the only real reason anyone would want a customer not to have a copy of the program is insecurity (and, yes, I did note another posting about OEMs, but isn't that a diffferent issue(?) )

We've always taken the attitude that we don't want to be called out every time a limit switch fails, and the customer's electrician wants to go on line to find out why the line isn't working. Most times he just wants to monitor, not change, the code, or in extreme cases, reload when a power surge takes out the CPU.

Usually one of the key points of any contract we enter into is that the customer has the IPR for the software (finished copy including a CD backup), and password protection is given just in case (as akreel mentioned) the programmer leaves or is hit by a bus, etc. In the case of a safety / fail safe application, a written contract should explain that there are legal implications of modifying any code.

In a recent contract, out customer stipulated that any proprietary source code that we did not want the customer to see be placed in escrow. That way, if we go out of business or the above happens, they are covered. We don't have proprietary code and just give them everything.

For my own part, I provide full source code for all machinery we produce except for ::::::

Our Process code that is only for our eyes !!

All actuations and controls are fully provided with symbols etcect however our Process code as we call it is Block protected with siemens as in they can reload our code but can't modify it. Any changes made by them to the control code is their obligation .

In the past before Block Protection (siemens) i would have left the Process code without symbols just to make it so damn unreadable they don't bother. Theres lots of ways around all this but at the end of the day, if all else fails the customer can reload the original code to allow the machine to work.


THats usually the case anyway........

[COLOR=red]Mylo [/COLOR] said:

...i would have left the Process code without symbols just to make it so damn unreadable they don't bother...

Click to expand...

That is exactly what I do in this situation and it does not happens often. I take my 50 rungs, take out the comments and label and mix then around.

The guy who can sort his way out of it would have gotten out of other schemes anyway.

elevmike said:

...maybe the FBI.

Click to expand...

Funny you say that, because they might already know.
I don't know exactly who the end user is but the customer offered to get us written permission from "his boss, and his boss' boss" to try and hack into the thing.

I'd be willing to bet these PLCs aren't controlling bubbles in a hot tub.

The original post refers to ethics.

I think there is a huge difference between what is ethical and what is legal.

Let's not get into what is moral.

Ethics should span legal boundaries and should be both a personal and a group concern, monitored and maintained by peer pressure at the least. My thoughts anyway.

It may be legal to foreclose on the widow but is it ethical?

Brian.