6

Let me start by saying that I am a computer security researcher. Part of my job is to create malware to deploy on a controlled environment in order to study or evaluate several aspects of computer security.

Now, I am starting to think that using an online code hosting service (such as BitBucket, Github, etc...) to have all my code in 1 place, would allow me to work on my projects more efficiently.

My question is: Are there any issues with this? I have studied those companies' privacy policies, and they state that they allow usage of their services for lawful usage. Since I am not distributing malware, but I am only using it on my machines and machines that I am authorized to use, aren't I allowed to use the service? For the usage that I am doing, malware is the same as any other software.

I recognise that I should be extremely careful with code hosting, as any mistake from my part could hold me liable for damages and leave me open against legal action. As such I am recognizing that I should use private repositories, so the code is not available to the public. But how private is a private repository? How can I trust that companies like them will not leak or sell a potential (electronic) viral weaponry that I may have created in the future?

yannis
  • 39,547
  • 40
  • 183
  • 216
NlightNFotis
  • 277
  • 2
  • 11
  • 1
    Go out and purchase some cheap hardware. Setup your own repository on it. As other have shared their concern about putting malware on any public repository like BitBucket or Github I won't repeat it. – Ramhound Sep 24 '12 at 11:14
  • @Ramhound I was thinking about getting a VPS and setting it up with an encrypted File System, and several other security measures. – NlightNFotis Sep 24 '12 at 12:03
  • If you don't want to host your own, then Andrew's answer is the best route. Dotting the i's and crossing the t's in this case is to help prevent a firestorm of negative media heading your way. A good (in)sanity check is to ask yourself how a biased media outlet will spin your story with a negative headline. If / when a breach occurs, details like encryption and security settings will be ignored by journalist going after the sensational story. –  Sep 24 '12 at 13:50

2 Answers2

5

As a former host operator (so no, I'm not selling) I would suggest that you'd probably fall foul of the general T&Cs of all reputable hosts.

However, I'd suggest contacting some, and explain what you are wanting... assuming they know what's what, you may find them amenable - especially if you pick a smaller company where people lower down the food chain may have some decision making powers.

BigCo hosts will probably have no route to approve your request.

You may also have better chances if you are running a dedicated server, rather than a shared hosting provision.

Andrew
  • 2,018
  • 2
  • 16
  • 27
  • Hey, thanx for the answer. Now I was thinking what you suggested, and honestly, I do not understand how it is foul usage, since I am not using it for malicious purposes. As for your email suggestion, I was thinking about it, but then I understood that it's not going to help me letting them know what i'm doing and for what's its worth it might be more harm than good. As a last resort, I was thinking about what you suggested too, a VPS with my repositories, but this is getting more complicated because a VPS needs administration, something that will require time, among other things. – NlightNFotis Sep 24 '12 at 06:53
  • anyone can say that it isn't for foul usage. And if you're using a public repos, anyone else could use it for foul usage. imho sending an email would definitely be better than not sending one. You got to have something to backup your claim. If it's your work, link to the HP / your boss. It it's for school, talk to your teacher and refer to him. – jgauffin Sep 24 '12 at 07:19
  • @jgauffin What about private repos? My concern is not about me, I know what I will be doing. My concern is about the hosting companies. IF they find out about my code, **what would be worst they could do? Ban me? Sell it? Use it?** That's what is concerning me. – NlightNFotis Sep 24 '12 at 08:26
  • The worst is defined in the TOS for the service. – jgauffin Sep 24 '12 at 08:52
  • @NlightNFotis: They cannot sell or use the source code, doing so would be in violation of copyright laws. – Gavin Coates Sep 24 '12 at 08:53
  • 1
    @GavinCoates: and why do you think that anybody interested in using his source code would be deterred by a mere copyright law? – Marjan Venema Sep 24 '12 at 09:08
  • 1
    @GavinCoates - How would he prove they stole his source code exactly and would anyone care? He would do a public disservice by placing ANY of his research in hands of ANYONE outside of his team. – Ramhound Sep 24 '12 at 11:15
  • ProjectLocker offer free private repositories, both Git and SVN – Dónal Sep 24 '12 at 15:53
2

In the context of @Andrew's answer, also keep in mind that BitBucket offers free private repos, so you could host your code there without as much concern for it getting into the wild.

cori
  • 591
  • 3
  • 14
  • Thank you for the answer. I was thinking about rolling with BitBucket's private repos. But @Andrew raises some valid points, so I am going to reconsider. – NlightNFotis Sep 24 '12 at 06:54