The Adobe/Omniture/ Controversy and the Danger of Closed Source

If you haven’t been following, there’s a bit of a scandal in the blogosphere these days about Adobe software products (like Photoshop and their whole CS3 suite) phoning home to a suspicious-looking (indeed, intentionally deceptive) domain name – That’s “two oh seven” not “two zero seven”. It’s designed to look like an IP address on/from your local network (192.168.x.x is a very common private IP range). People started noticing these calls, and wondered what the heck Adobe was up to.

Turns out, the calls to that address were use to send usage statistics/data to web metrics company Omniture. This, in itself, is not a big deal. Almost everyone uses some kind of web metrics. Google Analytics is a popular one – I use it on this blog. We even use Omniture to track stats on Intel Software Network. Web sites do this all the time, and it’s normal. But when it’s an application, not a web page, making these calls, and it’s happening without the users knowledge or permission, and when it’s going to an address that was intentionally made to deceive people, well, folks get mad.

Adobe blogger John Nack has been doing an admirable job providing answers during this fiasco (he has a good FAQ post on the topic). (On a side note, I’m proud of Adobe for having bloggers to talk about stuff like this. Imagine how much worse for them it would be if they didnt.) But there’s one question that Adobe hasn’t given a satisfactory answer to (an, surprisingly, it’s because they say they don’t know the answer):

Q.: Why does Adobe use a server whose name is so suspicious-looking?
A.: I’m afraid the answer is that we don’t really know. The fact is that this SWF tracking code already existed on the Macromedia side at the time the companies merged, and it was adopted without change by a number of products for CS3. The people who wrote the code originally did not document why they used that server name, and we can’t find anyone who remembers. I’m sorry we aren’t able to provide a more solid, definitive explanation.

Emphasis mine. Besides the fact that they’re blaming this on the guys at Macromedia who wrote the code that’s doing these calls, they’re basically saying “uhh, we just had all this code that we dropped in there, and we don’t know what’s in it, and we didn’t review it, and it’s not documented, and nobody who worked on the original code works here anymore. So we don’t know why it’s doing that.”

Not exactly confidence-inspiring, is it?

So why is this post titled “the Danger of Closed Source”? Simple. If this were an open source project, with an active community of developers involved, the code would be available for anyone to review, and this kind of deceptive trickery would have been exposed a lot sooner. Not to mention the fact that a patch to remove it would have been made available already. Or the fact that the quality of the code in general, and the documentation, would probably be a lot better. Open source doesn’t magically make these things happen, but in a popular, well managed open source project, it’s more likely to happen than in a closed source project.

I’ve been doing a lot of reading about open source, its culture, and its practices. I highly, highly recommend a couple of books on the topic: The Cathedral and the Bazaar by Eric S. Raymond and Open Sources 2.0, a collection of essays compiled by Google’s Chris DiBona and my friend Danese Cooper (those are both affiliate links). Both books, and the essays they contain do a terrific job of getting past the “hype” and stereotypes of open source software, and explaining why increasingly, closed source software is a bad idea, in software quality, customer experience, and as a business model.

This latest example with Adobe and the nefarious domain name only serves to illustrate that point. I actually feel bad for them. They acquired a company and it’s “assets” (a bunch of code that they had to integrate into their own products). They probably chose not to spend the resources necessary to go over every line of code (of which there are probably millions) to understand everything it’s doing. Who would? So, they do the best they can, integrate the code, test it, make it work, and, having done their best, release it to the world.

And then something like this comes along and bites them. And even though they did their best, they’re still getting hammered for it. By the press, bloggers, and eventually, shareholders to whom they’re accountable.

But it gets worse! Want to think of something REALLY scary? If Adobe “just doesn’t know” what’s in the code that’s on millions of people’s computers around the world, who’s to say there’s not something a lot more dangerous, a lot more malicious, and a lot better hidden lurking in there? What if a disgruntled Macromedia developer hid some code that would give him backdoor access to every computer running Photoshop? What is there’s code in one of these apps that’s silently searching hard drives for passwords and other identity information, and sending it off to some evil dude in a foreign country?

That’s the danger of closed source software. When you use it, you’re putting yourself completely at the mercy of the people who wrote it. You’re giving them your trust. Based on what? Hope and blind faith? The fact that nothing bad has happened so far? Adobe trusted the source code, and customers trusted Adobe. And look what happened.

Are you a little bit more wary about closed source software after reading this? I hope so.