Why aren't software leaks more common in large tech companies?

3 points by tempaccount420 ↗ HN
I've been wondering why we don't see more leaks from big software companies like FAANGs. They have tons of employees working on huge projects (think Google's search engine), yet leaks seem super rare.

Take the Twitter/Musk drama, for example. Even with a bunch of unhappy employees, no major leaks came out.

On the other hand, we get leaked iPhone pics months before they're released. What's up with that?

Why do you think software leaks are so uncommon, even with massive teams? Is it tighter security, company loyalty, high pay, or something else?

13 comments

[ 5.2 ms ] story [ 44.2 ms ] thread
Because people want to find employment, not be sued to bankruptcy, and not go to jail?
You can do it completely anonymously.
I think you’re really underestimating the sheer size of these codebases and how near impossible it would be to actually do this anonymously.
> On the other hand, we get leaked iPhone pics months before they're released. What's up with that?

How do you know that those "leaks" were not by Apple for PR? It is all a PR game; it gets more publicity than any other means.

> Why do you think software leaks are so uncommon, even with massive teams? Is it tighter security, company loyalty, high pay, or something else?

It is not uncommon. Sometime back a hedge fund took one of its former employees to court due to code theft.

The reason most employees don't do that because the code base of tech companies is huge and most of them use proprietary tools.

And even if an employee steals the code, it will not be used by competitors because hiring engineers is cheaper than hiring lawyers. Sometime back a disgruntled Intel employee, when leaving the company to join AMD, stole some documents of the project he was working on. After joining AMD, to impress his new employer(who is a competitor of his previous employer), tried to give them the stolen documents. Not only did he lose his job at AMD, but AMD informed Intel about the theft. The guy was arrested.

Software is usually not worth much without the data it operates on.
I think you would be surprised by the level of auditing/tracking that can go on employee laptops at some of these big companies. Every network connection, every peripheral connected, every file read, every program executed. If you wanted to exfiltrate code without the consequences, I think that would be challenging. There are only a number of ways I could think of doing that without leaving some obvious artifacts and that skill set is probably 1 in 100 to think about doing it and 1 in 10000 to actually do it.

Googling "how to exfiltrate data from a corporate network" leaves artifacts too.

Competent security teams assume that their code repos are compromised as well since it would likely be the first thing to be exfiltrated.

Furthermore, there are probably only 3 categories of people who would be interested. (1) nation states (2) criminal organizations (3) disgruntled employees.

Criminal organizations might be interested in blackmail. Disgruntled employees are most likely to be motivated by political reasons (think snowden).

> Take the Twitter/Musk drama, for example. Even with a bunch of unhappy employees, no major leaks came out.

The whole twitter codebase was leaked and uploaded to public github a week ago shrugs

Id imagine its because leaking the source code is just not worth enough to take the chance on?

I have yet to see a codebase that someone wouldn't re-write given the chance and what makes these companies succesfull is rarely their code.

Most code is useless outside the context it is used within. I.e Other services it can call, databases
Code can still be useful even if you can't run it. It would be easier to rewrite Google if you had the code than without.
A lot of reasons below are valid. And also the technical context addressed by one of the other comments. But beyond that, as a company's size increases, the proportion of value contribution from the code is increasingly augmented by the functions of marketing, sales, support and distributions. The value of code in isolation diminishes so much, the risk is usually not worth it unless it is something very unique like GPT.
not worth risk of getting caught and go to litigation with company who will bankrupt you.

most software is individual components or service that not so interesting outside of companys context. code not super fancy or sexy either. it was written probably in a rush to get out feature so team meets director or vp goal. and whatever meaning it really have in bigger context of other distributed services that together provide actually useful feature.

A few reasons:

First it's just boring. 99% of the time, it's mostly boring and what you'd expect. Some dumb Django or Rails app? Who cares. A Python library to talk to some internal service? A backend implementation of some well-known, public feature? Probably knowing about the feature is more interesting if its somehow secret or salacious...

Second the coding environment is very specific. FAANGs have very unique software ecosystems, coding styles, ways of structuring services. So even if you had the code, what could you do with it?

Third, and most importantly, the secret sauce IMO isn't in the code. It's the institutional expertise behind the code.

If you had Google's way of matching ads to search queries, then OK, you have a snapshot of a point in time. Same with Twitter's recommendations. It is moderately interesting and you can learn from it. But these algorithms are _constantly evolving_ around experiments and shipping. The internal teams are constantly learning and evolving how they understand that feature. So the team's mental models about that area of their product is the actual secret sauce.

Frankly if its JUST in the code, like some genius hacker put it there, and nobody else understands or can maintain it, it's not that useful to the organization. Those kinds of bits of code gradually die without a team to scaffold and evolve that code.