Don't Steal Code (Catfish for Code)

Becoming a developer is the hot new things these days. We’ve got a tech bubble that’s ready to burst any day now and everywhere you look you see companies and investors hammering and yammering on about this idea that “everyone should learn to code”. First of all, I disagree with this statement but supposing it’s true, it creates an environment where competition is fierce and people will do unethical things in order to make it in this market. I recently had a bad experience where some of my open source code was stolen and misrepresented as someone else’s code. What it all boiled down to was trying to set up an impressive portfolio for potential employees. In the interest of being kind I won’t be naming names and changing some details because this isn’t about shaming people. This is a true story of stolen code. For those who would misrepresent others’ code as their own: take it as a warning. For those who’ve had code stolen or are afraid of it, you’re not alone and maybe this will help you figure out what to do if it happens to you.

Coding isn’t for everyone

There’s this idea being spread that learning to code is a new essential skill everyone needs to know on a level like basic math or spelling. It’s not. I liken it to becoming a mechanic. Most of us drive cars but not all car owners need to be mechanics. What you do need to know is how to operate your car, maybe change your oil, and have a basic understanding of how a car works in general so when something goes wrong you know, generally, why your car isn’t working and can speak to a mechanic intelligently about getting it fixed. I know how to change the fluids in my car, operate it, change the oil and brakes, and have a good understanding of how my car works. That’s all I need to know to drive my car.

When it comes to computers the same idea applies. You only need to know what the request/response cycle is on a high level (I request a URL and get a page in return). Learning to code may sound like a cool thing to know but once you get into it you may find out that it just isn’t for you. It may be too hard and that’s okay. It may not interest you or you might just lack the aptitude for learning to code. That doesn’t mean you’re dumb. If you’re willing to stick it out you can certainly gain that aptitude but you’ll have a tougher time than some other people.

Getting a job as a developer

We’re in a golden age of web development. You don’t need a college degree to become a well paid web developer. All you need to know is how to do the work. Your performance, experience, and portfolio will speak louder than anything else.

Unfortunately there’s a big influx of junior developers coming out of coding schools and bootcamps that are looking for jobs. Not all of these students have great portfolios when they complete their class. Some students have only enough time and energy to complete their in-class projects. From an employer point of view, seeing that you can follow along and complete coding assignments and do exercises in class gives you some credit but other employers (like me) are looking for developers coming out of these code bootcamps with their own side projects that show what drives them personally.

The case of the stolen open source code

In my current job as a web development course instructor we see students here and there drop the course for various reasons. Most of the time its for personal reasons, illness, or something else but other times a student becomes frustrated with the learning process itself and decides to quit the course to self-teach. That’s fine. I personally self-taught myself to code and it’s worked out so well that I’m a senior developer and have even served as a CTO for one company and was invited to serve on the board of another. This didn’t happen overnight. I had to work hard and learn technology on my own to get here. Not everyone has that patience.

One morning I walked into class and was alerted to the fact that a former student had been stalking some of the GitHub projects from other students in the class (including instructors) and created a GitHub account which passed off those projects has their own. It was like the code version of catfishing. When we were alerted to the situation we found at least 4 completely stolen works of software on this person’s GitHub profile that we knew were stolen because:

  1. The license files were deleted and recreated using this person’s name. So basically they were taking credit for our work
  2. The README files had been changed to remove personal details about the original authors and in some cases details were added to make it seem as though the project was made by this person
  3. The projects were not forked from the original project. This person used GitHub’s “Download as Zip” feature then created a brand new repository named very similarly to the original project when they posted them back to their GitHub page.
  4. The projects weren’t cloned with remotes simply changed either. We checked the commit history for each project and not one of them had a single commit from the original author.

Open source is meant to be shared

The other students who had their code stolen were upset but I was especially disappointed as I really wanted others to use my code for any commercial or non-commercial purpose. The project was MIT licensed. The only problem is this person broke the rules of the MIT license. When you use an MIT licensed piece of software you’re allowing anyone to do whatever they want with your code with one caveat: The original author must be given credit.

What this former student was doing was filling their GitHub profile with other people’s projects, misrepresenting the projects as their completely original work. The question now was “why?” and the answer was because they wanted to show prospective employers (or people who’d hire them as a freelancer) that they had a portfolio full of cool projects. Unfortunately we all knew this person couldn’t even run these projects locally if they tried.

The idea that open source code was being “stolen” made me feel vey conflicted inside. Of course I wanted others to use this code and share it and add to it. I wanted them to use it for commercial use if they wanted. So I felt a bit bad thinking of this as theft. After all, I did put this code online and I did encourage people to do whatever they wanted with it. I quickly got over that because this case was different. The person who took this code was not using the code. They were simply misrepresenting the authorship and using the code as a prop to get jobs and clients. This wasn’t someone who used the project on its own or as part of a larger project. This was someone who got a copy of the code to catfish people. That’s what made it wrong. That’s the whole reason why GitHub has a “Fork” feature. The difference between stealing open source code and legitimately using it is the fork feature (or cloning it and pointing it to another remote because this preserves the original commit history).

How to correctly use open source

It’s unethical to download and re-upload other people’s work and show it off as your own. The proper way to contribute or maintain a copy of an open source project on GitHub would be to fork the repository and maintain your own fork.

A note on the MIT License

The MIT license, which I use for all my projects, basically amounts to this: “use this code for any commercial or non-commercial use. Mix it with other code. The only rule is that you leave the license file intact, giving the original author credit. You can add your name in addition to the original author if you’re making improvements with your fork but you must give credit to the original author somewhere in the end.

It’s pretty easy to tell an honest mistake from blatant misrepresentation.

How we resolved the issue

I contacted the person in question via GitHub’s issues feature and opened an issue titled “Not your original code”. As kindly as possible I explained that it looked like they were stealing other people’s work and passing it off as their own. I went on to explain the proper way to maintain a fork of a project.

The response I got was disappointing. I was told that the reason that this person uploaded other students’ and instructors’ (including my own) work to their GitHub profile was so they could practice writing code by rewriting each line of code by hand to understand how it all worked. It was a lame excuse. If that were the truth then the License files would not have been changed, the README files would not have been changed, the project names would not have been changed from their originals ever so slightly, the GitHub account would not have been an organization for a web development company (something this person had mentioned they wanted to start after the course was over), and, finally, you could go ahead and copy code line by line without having the original code published to a GitHub account. This person could have just downloaded/cloned the code and practiced privately. Instead they tried to pass other people’s work off as their own.

In the end…

Unfortunately, this person deleted their GitHub profiles after they were caught. I don’t want anyone to have to call anyone out on stuff like this but what if someone were searching for my project and this other person’s came up instead? They wouldn’t know which was the official maintained version because there’d be no obvious indication that one is a fork of the other. Most people just trust the order of Google results and don’t bother to look at commit histories and such.

Free and open source doesn’t literally mean “do whatever you want”. There is a code of conduct and those License files actually mean something. I hope this person gets back on GitHub and posts original work, forks other repositories, and goes through the process of learning to code the right way.

There are no shortcuts on the road to becoming an experienced developer. It’s tough but if you have a love for it then you should keep trying until you make it.

Open source, Web development

« Coding on the Go Dotnever: Keep secrets in your project without the use of a library »

Comments