Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Collect system information of where you approve deployment and hash the result. Then sign the hash. Maybe do it as part of the build process and inject the signed hash into the code base with the public key.
All over the code base check the hash signature is valid.
The engineers have the source so there's no way to prevent this, since they can code around it. All you can do is obfuscate and make that too difficult to bother with. But it will also make your code base brittle. -
Install a keylogger.
Stupid requirements beg for stupid solutions. If you can't trust tge people you hire, the problem is probably not these people, but the one who hires/vetoes them -
Nmeri171701y@jestdotty suppose the stolen codebase is used for another project, as opposed to being shared on vcs, how would we see it to know the undercover tag?
My ex-colleague contacted me recently to help build a solution that would checkmate the case of code theft that they are currently challenged with. I tried to suggest the developers either work remotely (using rdp or similar), or physically with a company provided system. He rejected both recommendations and insisted the potential culprit shouldn't be aware he is being monitored
He proposed the following flow for what he intends I build: an obfuscated program scattered across the code base, possibly assembling at intervals or as a reaction to project build. Then signaling their server with details of the machine it's running on
The project to be rigged with the spyware is written in spring boot and I can't turn this down even if I don't think it's worth it cuz no work has been forthcoming and I'm nearly out of cash
So the question is, is the flow described above a feasible one? Can you suggest a smarter way to detect when the code is transferred to the system of an unaccredited engineer? Can you suggest any tips on how to go about this?
question