My ex-colleague contacted me recently to help build a solution that would checkmate the case of code theft that they are currently challenged with. I tried to suggest the developers either work remotely (using rdp or similar), or physically with a company provided system. He rejected both recommendations and insisted the potential culprit shouldn't be aware he is being monitored

He proposed the following flow for what he intends I build: an obfuscated program scattered across the code base, possibly assembling at intervals or as a reaction to project build. Then signaling their server with details of the machine it's running on

The project to be rigged with the spyware is written in spring boot and I can't turn this down even if I don't think it's worth it cuz no work has been forthcoming and I'm nearly out of cash

So the question is, is the flow described above a feasible one? Can you suggest a smarter way to detect when the code is transferred to the system of an unaccredited engineer? Can you suggest any tips on how to go about this?

  • 3
    and that spyware will be in the final build for the users?
  • 1
    @We3D spring boot is used for building back ends, so no
  • 0
    well it's in the code, so can be detected... and avoided ;)
  • 1
    Collect system information of where you approve deployment and hash the result. Then sign the hash. Maybe do it as part of the build process and inject the signed hash into the code base with the public key.

    All over the code base check the hash signature is valid.

    The engineers have the source so there's no way to prevent this, since they can code around it. All you can do is obfuscate and make that too difficult to bother with. But it will also make your code base brittle.
  • 1
    Install a keylogger.

    Stupid requirements beg for stupid solutions. If you can't trust tge people you hire, the problem is probably not these people, but the one who hires/vetoes them
  • 0
    @jestdotty suppose the stolen codebase is used for another project, as opposed to being shared on vcs, how would we see it to know the undercover tag?
Add Comment