It was a regular Thursday morning for Roman Khalenkov, chief commercial officer at PortaOne. Roman brewed his coffee and posted a new set of Barcelona street art to his Instagram. He then opened his office email and… something unusual for the daily routine of a CCO happened. An email with the subject line “Negotiation” arrived in Roman’s inbox, sent from the account firstname.lastname@example.org. It looked like a request for a source code ransom.
The email read:
In this story, we’ll explain what happened next, i.e., how we formed an emergency response team, communicated with the hackers, conducted a vulnerability audit, and emergency stress-tested our entire IT stack. And had fun, and (of course) ended up paying nothing. You’ll get a brief overview of our DevOps procedures and daily business practices, and you’ll learn about source code ransom as an emerging cybersecurity trend, an iffy business model, and… well, a great source of interesting information for content marketing purposes.
“I am the Modules.PM now!”
The first thing Roman did with the alarming email? He forwarded it to Yurii Zotsenko, our Head of IT, and Andriy Zhylenko, our CEO. The irony of the situation is that, only recently, we had discussed software piracy as a possible storyline to be further explored in the content marketing context. So, Andriy also forwarded a screenshot of the email to the Slack channel where we discuss this very blog.
Once our emergency task group analyzed the message and the traffic log on our servers, we figured out that the “we hacked your servers” part was most likely a bluff. Nevertheless, the proof of a hack part appeared to be authentic. That worried us a lot. The Modules.PM library is insignificant – we use it to manage other modules of PortaSwtich. But, yes – it is indeed part of our code.
After a discussion with Oleg Shevtsov, head of our PM office, Yurii sketched out a hypothetical timeline of the preceding events, as well as our future course of action. Luckily, the situation turned out to be not as gruesome as we initially feared.
How Our SaaS Business Model Kept Us Cool
As we’ve explained in the past, our business model is focused on adding value to our perpetual lifetime license, not on the code itself. Andriy explains: “The PortaOne business model is very similar to that of an open-source software. However, we decided not to go completely open source, because some chief executives associate that idea with free of charge. Then it becomes difficult to explain that what our clients are really paying for is the training on how to use our software, detailed well-structured documentation, 24/7 support, and instant access to the ongoing platform evolution.”
So, the PortaOne sales team based the decision to keep our source code “open to any clients who are ready to pay for the license” on pure business logic. It’s simply easier to sell our platform this way (compared to the canonical and GPL-certified concept of “open source”).
Why, then, don’t our clients simply use our code to start their own telecom software business? Think of the blockbuster movie Captain Phillips (the plot from the movie, mind you – not the real story of the 2009 Maersk Alabama hijacking by Somali pirates). The key takeaway of the film: “It might not be that difficult to hijack a huge commercial vessel. However, it is darn hard to steer and manage it afterward.” The same is true of hijacked source code for telco billing software.
Why You Would Never Want to Use a Pirated Softswitch
“Softswitch and billing are the core business systems in telecom. When you’re looking for a solution, you want a software vendor with a good reputation. (And with deep pockets, should things go wrong.) The last thing you want is to buy a business-critical system from somebody who simply forked it on GitHub and will disappear after selling it to you,” Mr. Zhylenko continues.
Stories from the Past: Mohamed
Like any good software company that’s been on the market a while, PortaOne is not a newbie to software pirating. Back in 2011, Mohamed, from a telco in Egypt, called our customer support to inquire whether he could “upgrade” his PortaOne system to include more billing options. He also wanted to update to a newer MR. After looking for the account, our support engineer – with a chill in his blood – called his supervisor late at night. It seems, he said, the data for a customer from Egypt “got somehow lost” in our CRM.
After an internal investigation, we discovered that Mohamed’s data had never been there at all. Somebody had sold him a “bootleg” version of our code, which had been stolen from one of our clients in the early 2000s. We immediately invited Mohamed to become our customer. Interestingly, Mohamed and his team are still with us, as of summer 2021, and his team was among the first to onboard to our cloud-based PortaSwitch. Mohamed’s story is exactly what is doomed to happen to anyone who buys pirated PortaOne source code from the “I am the Modules.PM now!” people and their like.
The Brief Tale of a Source Code Ransom Business
Source code ransom is a trending news topic right now. The primary culprit is the recent cybersecurity developments in the computer gaming business. Just last month, Electronic Arts, the maker of the FIFA, Sims, and Need for Speed video games, reported an IT breach that resulted in a massive source code leak of FIFA 2021. Prior to that, in February 2021, Warsaw-based CD Projekt S.A., one of the world’s most-hyped RPG game makers (think The Witcher or Cyberpunk 2077), reported a similar IT breach. CDPR had to rewrite essential elements of the code for Cyberpunk 2077.
Source Code Ransom v. Ransomware
Sometimes people confuse source code ransom with ransomware attacks. A source code ransom occurs when someone: (1) breaches the IT system of the victim business, (2) steals commercial software code from that system, and then (3) asks for “compensation” (i.e., ransom) for not disclosing the stolen source code to the public. Ransomware attacks, meanwhile, consist of (1) hacking a personal computer or corporate IT system, (2) encrypting all or part of the victim’s data, and (3) asking for a ransom in exchange for a “code” (i.e., a password, passphrase, or PIN) that will unlock the data. (Do not confuse this type of code with “source code”.)
Our Modules.PM story is definitely a source code ransom. However, unlike gamers, our clients (i.e., telco managers) don’t have the gift of extra time to look for, download, fork, compile, fake the security keys or apply “keygens”, or otherwise take care of any pirated version of our product. And even if they did (or someone else did, without their knowledge, as with the case of Mohamed from Egypt), there are huge compliance and reliability risks involved. Those risks definitely outweigh any possible benefits of pirated PortaOne softswitch.
Got a Source Code Ransom Blackmail? Negotiate! If Only to Have Fun
While you, dear reader, are now “armed” with all the facts above, the pirates🏴☠️ were not 😂. So, we decided to reply to email@example.com. Luckily, they sent us a Telegram ID titled “Boot Root”. To be ethical (without hoping for reciprocity), we expressly asked permission of Mr. (or Ms.) Boot Root to make screenshots of our conversation:
We were truly hoping for a video call like those from Netflix’s Maniac miniseries. However, Mr(s). Boot Root brushed away our advances. (S)he deleted the account immediately after realizing there wasn’t much to hope for from PortaOne. Except for a good portion of humor and irony.
Why did we decide to reply? First of all, all good books (and articles) on the subject recommend frequent and open communication. The claims by firstname.lastname@example.org and “Boot Root” were broad, including an alleged breach of our IT systems. We decided that, by communicating with the hackers, we might be able to clarify the scope of the breach (if any). We might also learn how and why it happened, if it did. And because the editor of this blog was directly involved in the exchange, we also made sure to get enough amusing content to write this story for you.
What Really Happened with the Source Code Ransom?
Fast-forwarding a bit: it looks like there was really no breach at all. From time to time, some of our clients get their sensitive commercial information (including PortaOne source code) leaked. Usually, this occurs not because some “smart kid” hacks into their system (like in a movie with Benedict Cumberbatch), but through something more prosaic.
Due to budget constraints, some clients outsource (and outstaff) the support and maintenance of their core systems (such as billing and softswitch) to third parties. These “third parties” sometimes have wacky discipline, weak security procedures, or hire “whoever fits the task.”
Human Factor, Not a Hack
Some people get hired, some get fired. Some of these people, when they leave, might “take” a USB stick containing all of their projects. Then, the contents of that USB stick might end up on a Darknet. There, it gets “mined” for potential code ransom opportunities by “Boot Root” and the like. We haven’t seen the exact source code at issue, so we have not been able to check the watermark and learn which client was the source of this leak. However, this is not so important. What is more important is for our clients to protect their systems and code properly.
Found Something Interesting? Tell Us Please
If you happen to discover a vulnerability in our code or IT systems – or in one of our clients’ IT systems – we are always happy and grateful. (We won’t necessarily show our gratitude with 1 BTC 😂 , but it’s still a decent bounty sometimes.) Please contact email@example.com to talk further. Let’s unite our efforts in making source code ransom irrelevant.