How could you prove someone stole your source code?
In 2014, Cisco sued Arista for stealing Cisco source code. Arista’s counterargument was that they didn’t steal the source code, but they did make a lot of their software behave similarly, because Cisco is a dominant force in networking. Customers would be more likely to take a chance on then-upstart Arista if it looked and felt like all their other networking gear when they logged in. That meant look and feel like Cisco.
Impersonating Design or Stealing Source Code?
Arista also argued that Cisco didn’t really have a problem with this until Arista started eating their lunch in switching; in fact, they say, Cisco encouraged this kind of thing because it helped solidify them as the clear industry leaders.
This countersuit claims that Cisco violated the Sherman Antitrust Act by encouraging the industry to use Cisco’s CLI commands as a standard, then turning around and suing companies that embraced that CLI standard.
– The Cisco-Arista Battle over CLI
The suits and countersuits took meandering paths over several years. It was not entirely clear how much impersonating versus copying had occurred. When Cisco pointed to something, Arista would say, “well, yeah, we did it it the same way, but not because we were copying source code.”
Not quite the same, but as well there were notable lawsuits between Google and Oracle over the Java API. Oracle owned Java (by acquiring Sun), but it was not clear if that extended to owning the API - Google implemented their own version of the Java API so that they weren’t dependent on Oracle’s complete Java installation.
I’d paraphrase Google’s arguments as, “yeah providing an identical Java API is like putting the gas pedal on the right and the brake pedal on the left. Honda’s not stealing Ford’s intellectual property, they’re just making it easy for Ford drivers to use a Honda.”
Both Google and Arista are saying that they’re only impersonating the surface parts, they’re not copying all the important implementation bits under the hood that make it go.
Generally arguments are some combination of these things:
It’s the best/only reasonable way to do this particular thing, so any good software engineer would choose this. (In the Google v. Oracle thing, the judge William Alsup was a hobbyist programmer sympathetic to this argument.)
We were trying to present the same interface because that’s easier/better for customers, but it’s different under-the-hood.
We didn’t steal any of your bits. Sure, we may have hired engineers from your company to build the same thing at ours, but we locked the engineers in a room without any of the old source code and told them to make it from scratch (called a Clean Room Implementation).
How can Justin Bieber Help?
Standing around the proverbial water cooler one day, a group mused about how we’d handle this. Imagine you suspect a competitor has stolen your source code, but lawyers are really expensive so you want to be sure you have strong evidence before you call them up. You’re not going to have access to their source code during your preliminary investigation. But say you have access to their product: you could buy an old barely-booting switch on eBay or whatever.
Our solution:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ ssh admin@competitors-switch
Password: ********
# show justin-bieber
.,0NMMMMMMMMMWKc.
'k0NNWWWMWWWWWNK'
.kOkOkOO0KXXNXXXXl
.O0KKXXK0O0KXX0k0k
.dKNNWXxckOKOkxdOO.
.kKkxl,.,''...co;
.c'..;;c,.....:
.'.,;,:;''...
.',;::'..'.
.',d;,,;cxd,..
.xOO00OKMMMXOKXXKd;,,0Kkdl;'.
.lXMMMMMMMMMMMMNKOxlcdxKMMMMMMMMN0o:
.c0WMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWWx'
.lNMMMMMMMMMMMMMMMNxlc;,,lNddk0XWMMMMMMMWWWO;
,dNWMMMMMMMMMMMMMNkc'..,ldc,:..'..,oKMMMMMMMWWW0.
.ck00000KKKKKX0xlc,....c0WMMWO0oKWKl'..;xXWMMMMWWWNd.
......;llc:;,'.......,;:okOkl:clOKOkxc;c:',:c;;o0NWWWWWWk;
.'''.............',lkKNWWWWWMMMMWW0xkOOOOxx00Okc;,'';lxOKNN0l'.
..............,;,'..NMMMMMMMMMMX0NWMMMMMMMMMMMMMXNOo;,',,,;;::::,.
. . . . ';,;. ;MMMMMMMMMMM0kNNMMMMMMMMMMMMM,;OWNOl;,,,;;::;,.
.,..' . oMMMMMMMMMMMWNWMMMMMMMMMMMMMM, .oko;cc::::ccc:'
kMMMMMMMMMMMMMMMMMMMMMMMMMMMW'.. 'odolllllc
#
You should make a hidden command that when executed just outputs a little bit of absolutely useless (and barely distinguishable - it kinda looks like Justin Bieber?) ASCII art.
Lots of product have hidden commands, but if they’re at all useful (some undocumented mode) they’ll leak. Some support engineer will let it slip, or it’ll accidentally show up in some test report or something. Plenty of great features start life as something intended for internal use only, but whatever engineering itch they were scratching happens to exist at your customers, too. Your competitor could argue that your undocumented feature was de facto public, and so they impersonated it to please customers.
This hidden command has to be useless and absolutely impossible to accidentally reimplement.
Nintendo and Steganography
Nintendo employed an authenticity check that worked kinda similarly for GameBoy. Nintendo wanted all GameBoy games to be approved by them - they did not want GameBoy to run arbitrary third-party cartridges. If you’ve owned a GameBoy, you definitely remember the first thing every game did was drop the “Nintendo” logo down from the top of the screen to the center.
This logo had to be present in the cartridge, and it had to be bit-for-bit identical to the Nintendo logo or the GameBoy would refuse to run. However, the Nintendo logo was unambiguously trademarked all over the world. So maybe a third-party game developer could get away with making GameBoy-compatible cartridges in various jurisdictions, but they couldn’t get away with distributing the trademarked logo. At least, that appears to be the thinking in Nintendo’s legal department.
Another kinda similar topic is steganography, hiding one message inside of another. For instance, many images contain huge amounts of information. Every pixel may be made of 3 numbers (representing the amount of Red, Blue and Green at that pixel), and each of those numbers may be 8 or 16 bits long. Each of those bits are not equivalent - turning on the “left-most” most significant bit adds as much red as the rest of the bits put together, and the “right-most” least significant bit adds a miniscule amount of red. So maybe we could steal some least-signifcant bits for our own purposes, to convey a hidden message.
You can see an example of hiding a picture of an F15 inside a picture of an arctic hare here. The results are indistinguishable to the human eye.
Steganography is widely used for digital watermarking of media. It was also used by Jeremiah Denton, a prisoner-of-war held in Vietnam: he was interviewed under duress on T.V., pressured to describe the conditions of his imprisonment as adequate. However, while speaking he blinked his eyes in a weird rhythm that spelled out “T-O-R-T-U-R-E” in Morse Code.
Detecting steganography is really hard, especially in media. This is because media generally has way more information (especially in uncompressed form) than most humans need to enjoy it. There are bits lying all over that you can steal, without anyone knowing the difference.
Long ago, I compared some MP3 stores - did my purchased download have an embedded fingerprint? I made two separate accounts at each store and bought the same song, downloaded it and compared. My recollection was that the Amazon MP3 Store was bit-for-bit identical; the entire MP3 file was the same no matter who downloaded it. Not so for Apple iTunes Store - downloading identical song files (MP3 or AAC; this was pre-2010) on different accounts resulted in differences. These were not just in the metadata - the actual resulting WAV was (inaudibly) different. I cannot say for sure but that would indicate Apple was embedding some sort of fingerprint. If the file appeared on some torrent site, it would be possible for Apple to figure out who downloaded it (no idea if this was ever actually done).