Posting code - How much do we want to let them see?

[lucid]

I feel like it's been months since I've actually posted anything besides moderator comments and such, so well get back into it with a new question I've stumbled on.

What with all the government spying and whatnot, it feels like anonymity is completely and entirely dead and we should all just give up. I mean let's be honest. Not that I matter much to them, but I'm sure that the NSA or whoever may be watching knows already that the IRL me is lucid on the internet, and probably has a pretty good idea of my beliefs, ideals, and behaviors to an extent.

However, this doesn't mean we should just lay down and die right? I came across an interesting question related to privacy and watching your back online when I got stuck decided whether or not to post code I wrote that contains some...... questionable features. Actually, I think it would be more appropriate to say downright illegal as fuck. Now I realized I could put disclaimers in the code comments, and always post the code with a message like:

WARNING: THIS IS FOR EDUCATIONAL PURPOSES ONLY AND NOT TO BE USED FOR ANYTHING ILLEGAL

and while that should legally protect me to some small degree, we all know that it's actually not just what they can prove, and that it does matter what they know.

My question is this; GIven that the NSA is watching us and at some point will or has seen everything we do on the web, is it no longer safe to post code that you've created if it has some sort of illegal features in it?

What do you guys think?

[madf0x]

hmm well afaik the only illegal code is related to crypto export laws and some countries wacky 'anti-hacking' laws. If you mean more towards the actions the code would make would constitute as being illegal(scraping PII? messing with scada?), plenty of public security researchers do that already. Multiple companies outright sell rootkits and what not. So I'd say its safe to post code.

I guess there could be an issue with association. Like "oh Lucid posts cc scraping code ergo he must be a credit card fraudster and we need to watch him" sort of thing.

Slight segway here but unpopular opinion time: I dont believe the NSA has nearly as much power as people think they do. Or rather I relate it how the avg person sees hacking; that things they assume is difficult tend to be pretty easy and the stuff they assume is easy can actually be quite complicated and difficult. I think the NSA is lacking in areas we take for granted but excel in areas we dont even know about. Yes they have huge monitoring tools available to them and pretty much any form of crypto is a joke to them, but they are also gunna be bogged down by bureaucracy and have normal and geeky people working there too. Theres a human analyst somewhere there drowned in overtime work and has to go through hundreds of reports but its almost 5 o clock on a friday and he wants to go drinking with some buds and just cant bring himself to give a fuck for another 10 minutes about whether or not some Lucid guy wrote some questionable code or not.

Also fun fact that most people dont realize but a HUGE portion of the NSA's duties involve the management and generation of monthly crypto keys to pass down to the branches of the military through various S6 shops with drastically different skill and knowledge levels. And all that takes policy work too, ewwwwww. These keys aren't always wrapped properly either, and youll have cases where Brigade gets keys from Division, wraps them in a shitty way and then battalion has to fix them because dumbass at the vault made it so ONLY the master SKL can load keys into the radios and ugh glad im done with that bullshit.

[Xires]

This is actually a very good question.  Of course, it should be left to each individual to decide for themselves, but seeking advice is always a decent idea.  For me, personally, I try to categorize my code to make it a bit easier to determine such things and I tend to use the categories like chains in a firewall.

In some cases, there's just no good reason to publicize the code.  These include personally discovered 0days as well as code submitted to me by others under the request or assumption that I keep them private.

Obviously, I tend to be quite free with instructional code but at the same time, I try not to include anything directly dangerous.  If I am trying to advise on something that is intended to be potentially dangerous, I'll often allude to a process in pseudo-code or comments within a legitimate framework example.

Modularity can actually be quite helpful.  In some cases, you might need to include shellcode, hard-coded IP addresses, passwords or something similar which itself might be a problem.  Separating those sections through modularity so they don't need to be included in anything you might publicize can be extremely useful in several different ways.

My mental 'firewall' for publishing code:

• Code from others (policy: kept private but not on external medium)
     
  • requested to remain private - kept encrypted on external medium; never published without express permission
  • permitted anonymous publication - stripped of identifying information, restructured, commented
  • permitted free publication - comment header denoting credit due added, commented, otherwise unaltered
   
• Instructional (policy: published as if sensitive)
     
  • non-sensitive - freely published
  • sensitive - commented, published with notation
  • dangerous - seriously dangerous parts replaced with comment blocks explaining general concepts, published with special notation
   
• Non-instructional (policy: published as if sensitive)
     
  • non-sensitive - freely published
  • sensitive - commented, published with notation
  • dangerous - not publicly published but only shared privately with express instructions not to redistribute
  • very dangerous - local copies encrypted; never publicly published and shared privately only by need or specific request; express instructions not to redistribute
  • severely dangerous(e.g. could destroy countries) - encrypted & kept independent on external medium; stored in remote location; never published, not distributed privately; contemplate inducing seizure specifically to forget about it*
   

*Note: I don't actually know if I've ever done this ;-P

[lucid]

I like your mental firewall. I should develop something similar. Also I hadn't really considered modularity as a form of privacy. Thanks.

I see what you are saying madf0x. I've often thought that it would be extremely easy for people to blow the NSA's capabilities out of proportion. First it's, "The NSA purposely put backdoors in popular algos, and regularly intercept computers and technology while en route in order to install hardware backdoors." To, "The NSA is under your bed."

I obviously don't believe that the NSA has the time and resources to hire an analyst for every wannabe hacker and criminal in the world like some people believe. I know there isn't some person who is currently watching me type this post in real time or anything. However, I do believe that with automated systems like XKeyscore and whatnot, and with the large amount of access they've tailored, they don't need to care about me or waste time watching me in order to have a log or dossier or whathaveyou on posts and searches I've made. So sometimes I worry that posting, say, a script that bruteforces random IP addresses SSH servers  , on Github might land me in perhaps a slightly more exclusive list then any that I already may be on if you know what I mean.

EDIT: Come to think of it, I've probably issued enough unique searches looking for solutions to code problems I've had, that they could probably figure out what I was coding without me even having to post it somewhere.

[d4rkcat]

https://en.wikipedia.org/wiki/Hawthorne_effect

This is why even having the idea that someone is watching you is extremely bad for everyone.
I just go by the law, so if the code is illegal, I won't publicize it.
But as madf0x has said, I don't believe any code is illegal apart from certain types of crypto and that only applies to certain countries.
I don't want to feel like I need to hide or that I'm doing something wrong.
In my head I am justified in anything I code because I am trying to figure out computers and their networks. I am not trying to 'hack the planet' or anything, I just would like to figure out how to. 
As you said they have a record of your search history and so they can figure out what you're up to.
I cannot be bothered to live on Tails or something similar the stress is not worth it to me.

[proxx]

You are profiled indexed and registered, its too late now.
Basically you have nothing to loose, kinda doesnt matter now

[zenith]

I see your Hawthorne effect and raise you the Panopticon:

https://en.wikipedia.org/wiki/Panopticon

Only since it's geared more towards positive/negative behavior in general and not just worker productivity.

I agree with with madf0x on this one, in regards them likely having less capability in areas we think they are near-omnipotent in, and more capability in areas that we may not even have thought of. And, at the end of the day, it's all just people working there. Mostly normal people, who probably don't like their boss, think they are overworked/underpaid for what they do, and can't wait to finish their reports (or whatever) for the day so they can go home, have dinner with their family, play video games and watch Netflix.

Regardless of the legality of what might be in code we share online, we're all small fish. Uploading some malicious code in itself isn't going to red-flag you to the NSA.