Why the world needs reverse engineers

Reverse engineers open things up and investigate things, finding information that IT companies don't always want us to find out.

Reverse engineering.

It sounds backwards. It sounds devious. But it is about analysis: taking things apart, potentially breaking them, to find out how they work; opening up the hood, seeing what parts are inside and how they are connected. And, although it sounds somewhat less noble than "engineering," the world needs reverse engineers and needs them badly.

We especially need the ones who are will to share what they find publicly, for free.

Companies don't like it when people take apart their products to see how they work. They would like it if their products were treated as black boxes. "No user serviceable parts inside," they say. Or, "Opening case will void the warranty." Many software shrink-wrap licenses even bind you contractually to not reverse engineer the software. Hex editors and disassemblers, which are common programmer tools, are not allowed.

What are they hiding in there?

Companies are hiding a lot of things: their mistakes, security vulnerabilities, privacy violations and trade secrets. Usually, if someone finds out how a product works by reverse engineering, the product will be less valuable. Companies think they have everything to lose with reverse engineering. This may be true, but the rest of the world has much to gain.

Take for example the :CueCat barcode scanner from Digital:Convergence, which Radio Shack, Forbes and Wired Magazine have been giving away. It scans small bar codes found in magazines and catalogs into your computer, then sends you to a Web site, which gives you more information. Linux programmers, ever eager to get a new device to work with the Linux operating system, took the thing apart.

They reverse engineered the encoding the device used and found out how it worked. This allowed them to write their own applications for the device. One of the better applications was one that allowed you to create a card catalog for your home library. By scanning in the ISBN barcodes on the back of your books the application is able to download information from Amazon.com and build a database. So here we have someone building something new by stitching together the :CueCat, Linux and Amazon.

Digital:Convergence didn't like this at all. It wanted to be in control of the Web site you went to when you swiped a barcode. The company didn't like the fact that other people could write software for the device it was giving away and that they didn't make any money from that. It also didn't like the fact that, in the process of reverse engineering the :CueCat, programmers discovered that every one of them has a unique serial number. These programmers later found out and publicized that this serial number is tied into the customer information you give when you register your :CueCat on the Digital:Convergence Web site. The end result is Digital:Convergence can record every barcode swipe you make along with your customer information.

Reverse engineering allowed people to truly understand what the product was doing. This wasn't at all clear from information that Digital:Convergence originally gave out.

Checks and balances

Many of the privacy risks we face today such as the unique computer identification numbers in Microsoft Office documents, the sneaky collection of data by Real Jukebox, or the use of Web bugs and cookies to track users were only discovered by opening up the hood and seeing how things really work. Companies do not publish this kind of information publicly.

Sometimes they even disavow that they meant to design and build their products to work way it ends up working. People engaged in reverse engineering are a check on the ability of companies to invade our privacy without our knowledge. By going public with the information they uncover they are able to force companies to change what they are doing lest they face a consumer backlash.

Uncovering security vulnerabilities is another domain where reverse engineers are sorely needed. Whether by poor design, bad implementation, or inadequate testing, products ship with vulnerabilities that need to be corrected. No one wants bad security, except maybe criminals, but many companies are not willing to put in the time and energy required to ship products without even well known classes of problems. They use weak cryptography, they don't check for buffer overflows, and they use things like cookies insecurely. Reverse engineers, who publicly release information about flaws, force companies to fix them, and alert their customers in a timely manner.

The only way the public finds out about most privacy or security problems is from the free public disclosures of individuals and organizations. There are privacy watchdog groups and security information clearinghouses but without the reverse engineers who actually do the research we would never know where the problems are.

Expect more secrets

There are some trends in the computer industry now that could eliminate the benefits reverse engineering has to offer. The Digital Millennium Copyright Act (DMCA) was used by the Motion Pictures Association of America (MPAA) to successfully stop 2600 Magazine from publishing information about the flawed DVD content protection scheme. The information about the scheme, which a programmer uncovered by reverse engineering, was now contraband. It was illegal under the DMCA.

Think about that. There are now black boxes, whether in hardware or software, that are illegal to peek inside. You can pay for it and use it, but you are not allowed to open up the hood. You cannot look to see if the box violates your privacy or has a security vulnerability that puts you at risk.

Companies that make hardware and software products love this property and are going to build their products so that they fall under the protection of the DMCA. :CueCat did this when they built their product. They added a trivial encoding scheme, which they call encryption, so that their bar code scanner was protected against reverse engineering by the DMCA. We can expect to see many more companies do this.

As more of our entertainment and the world's valuable information move into the realm of digital content we are sure to see a plethora of content protections schemes. They will be built into software viewers and browsers, operating systems, and the hardware itself: laptops, televisions, video cameras, telephones, stereos, and practically every electronic device. Will it all be off limits to reverse engineering? Are we going to lose this important resource for learning about the risks of living in our high tech society?

This is a future that is scary to me. One of the notions that was born out of the Enlightenment is that at the core of human nature lies the need to inquire about the world around us. As we move our discourse and society into the digital realm it will be a tragedy to lose this fundamental freedom which has served us so well.

Weld Pond is the manager of research and development with security firm @stake Inc