5

My goal is to develop a piece of software which is illegal in my country. Obviously I don't want anyone to be able to trace the code back to me or prove that I developed it after deployment. What precautions would be needed? Which pitfalls need to be avoided? Is there a tutorial?

I would suspect that full drive encryption on your development machine and internet connectivity over Tor are required.

What setup would be needed when developing in countries with political repression or similar conditions?

Luc
  • 31,973
  • 8
  • 71
  • 135
wuerfelfreak
  • 153
  • 3
  • 1
    Language-specific patterns in your text (bad grammar, random noun capitalization) and username would be the first step to narrowing down who you are :-) – Luc Jan 05 '20 at 00:00
  • 6
    The first step would be making 200% sure you actually need to write that software – honestly, most things that are illegal under repressive regimes (news browsers, encrypted communications) already exist and at most need localization. – Marcus Müller Jan 05 '20 at 00:12
  • There's also many arguments for decidedly *not* basing the software development for a repressed people in the hands of the same: If most contributions come from the diaspora, they are harder to suppress and infiltrate through repressive action e.g. against discovered developers. – Marcus Müller Jan 05 '20 at 00:18
  • If you're in fact not living somewhere where encrypted communications could make a great impact, but in fact somewhere democratic and free, but your software is still hoping to make a social impact: Ever-relevant article [On technology and democracy and power](https://medium.com/civic-tech-thoughts-from-joshdata/so-you-want-to-reform-democracy-7f3b1ef10597); a technological solution rarely makes a big dent without the social environment to do so. – Marcus Müller Jan 05 '20 at 00:20
  • 1
    Consider doing your development remotely, on a virtual machine hosted in a country with good human rights laws. You would then have to consider your payment capabilities: how to pay for the hosted VM without a money trail leading back to you. And you still need to have excellent Operational Security practices to ensure your local machine, network connections, payments, etc., aren't compromised. – John Deters Jan 05 '20 at 00:47

1 Answers1

5

I don't think that the development itself is so much of a problem if done alone, offline and with proper disc encryption and if the software never gets distributed.

But, if you need help in development you need to communicate with others or at least get information from the internet. It might for example be that the developer forums you visit are compromised and use of these forums will compromise your system too, like in Apple, Facebook employees hacked via website malware, Java vulnerability or in FBI using an exploit to attack Tor users.

Even if not compromised the forums might log your visits, store the questions you've asked and the posts you've visited etc, which might be used to construct a picture of what you are working on and might later be used as evidence against you. And just visiting such sites via Tor does not make you fully anonymous - all what it does is hiding your IP address.

And then you likely need to somehow distribute the software to others. If done as binary for easy install then these binaries often include traces from the developer environment and process, like language used on the system, time the software was compiled, specific versions of software libraries used in your code, software versions used for compilation, debug information, ... . While none of this by itself will make it possible to find you and can help to narrow down the potential suspects and might later be used as evidence. Distributing as source code might even be worse since it can be more easily aligned with code snippets you might have asked about on the internet.

Also, I hope that would not blindly install arbitrary software you'll find on the internet and this kind of security you should expect from others too. So you somehow need to establish some reputation so that others will trust that the software does what it claims and does no harm. Building such reputation commonly involves that you need to communicate with others and trust others too - which makes your vulnerable if there is somebody you should not actually trust. For example government agencies are regularly able to infiltrate closed forums in the dark net even though the administrators of such forums try very hard to screen new members.

In summary: it is far from trivial and there is no simple tutorial to follow. The threat model is specific for where you live, what kind of software you develop, what your developments tools are, how do you want to distribute the software, how hard somebody would try to find you ...

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424