Why the world needs reverse engineers

[William Knowles <wk () C4I ORG>]

http://www.zdnet.com/zdnn/stories/comment/0,5859,2636304,00.html

By Weld Pond, @stake, Special to ZDNet
October 9, 2000 6:02 AM PT

It sounds backwards. It sounds devious. But it is about analysis:
taking things apart, potentially breaking them, to find out how they
work; opening up the hood, seeing what parts are inside and how they
are connected. And, although it sounds somewhat less noble than
"engineering," the world needs reverse engineers and needs them badly.

We especially need the ones who are will to share what they find
publicly, for free.

Companies don't like it when people take apart their products to see
how they work. They would like it if their products were treated as
black boxes. "No user serviceable parts inside," they say. Or,
"Opening case will void the warranty." Many software shrink-wrap
licenses even bind you contractually to not reverse engineer the
software. Hex editors and disassemblers, which are common programmer
tools, are not allowed.

What are they hiding in there?

Companies are hiding a lot of things: their mistakes, security
vulnerabilities, privacy violations and trade secrets. Usually, if
someone finds out how a product works by reverse engineering, the
product will be less valuable. Companies think they have everything to
lose with reverse engineering. This may be true, but the rest of the
world has much to gain.

Take for example the :CueCat barcode scanner from Digital:Convergence,
which Radio Shack, Forbes and Wired Magazine have been giving away. It
scans small bar codes found in magazines and catalogs into your
computer, then sends you to a Web site, which gives you more
information. Linux programmers, ever eager to get a new device to work
with the Linux operating system, took the thing apart.

They reverse engineered the encoding the device used and found out how
it worked. This allowed them to write their own applications for the
device. One of the better applications was one that allowed you to
create a card catalog for your home library. By scanning in the ISBN
barcodes on the back of your books the application is able to download
information from Amazon.com and build a database. So here we have
someone building something new by stitching together the :CueCat,
Linux and Amazon.

Digital:Convergence didn't like this at all. It wanted to be in
control of the Web site you went to when you swiped a barcode. The
company didn't like the fact that other people could write software
for the device it was giving away and that they didn't make any money
from that. It also didn't like the fact that, in the process of
reverse engineering the :CueCat, programmers discovered that every one
of them has a unique serial number. These programmers later found out
and publicized that this serial number is tied into the customer
information you give when you register your :CueCat on the
Digital:Convergence Web site. The end result is Digital:Convergence
can record every barcode swipe you make along with your customer
information.

Reverse engineering allowed people to truly understand what the
product was doing. This wasn't at all clear from information that
Digital:Convergence originally gave out.

Checks and balances Many of the privacy risks we face today such as
the unique computer identification numbers in Microsoft Office
documents, the sneaky collection of data by Real Jukebox, or the use
of Web bugs and cookies to track users were only discovered by opening
up the hood and seeing how things really work. Companies do not
publish this kind of information publicly.

Sometimes they even disavow that they meant to design and build their
products to work way it ends up working. People engaged in reverse
engineering are a check on the ability of companies to invade our
privacy without our knowledge. By going public with the information
they uncover they are able to force companies to change what they are
doing lest they face a consumer backlash.

Uncovering security vulnerabilities is another domain where reverse
engineers are sorely needed. Whether by poor design, bad
implementation, or inadequate testing, products ship with
vulnerabilities that need to be corrected. No one wants bad security,
except maybe criminals, but many companies are not willing to put in
the time and energy required to ship products without even well known
classes of problems. They use weak cryptography, they don't check for
buffer overflows, and they use things like cookies insecurely. Reverse
engineers, who publicly release information about flaws, force
companies to fix them, and alert their customers in a timely manner.

The only way the public finds out about most privacy or security
problems is from the free public disclosures of individuals and
organizations. There are privacy watchdog groups and security
information clearinghouses but without the reverse engineers who
actually do the research we would never know where the problems are.

There are some trends in the computer industry now that could
eliminate the benefits reverse engineering has to offer. The Digital
Millennium Copyright Act (DMCA) was used by the Motion Pictures
Association of America (MPAA) to successfully stop 2600 Magazine from
publishing information about the flawed DVD content protection scheme.
The information about the scheme, which a programmer uncovered by
reverse engineering, was now contraband. It was illegal under the
DMCA.

Think about that. There are now black boxes, whether in hardware or
software, that are illegal to peek inside. You can pay for it and use
it, but you are not allowed to open up the hood. You cannot look to
see if the box violates your privacy or has a security vulnerability
that puts you at risk.

Companies that make hardware and software products love this property
and are going to build their products so that they fall under the
protection of the DMCA. :CueCat did this when they built their
product. They added a trivial encoding scheme, which they call
encryption, so that their bar code scanner was protected against
reverse engineering by the DMCA. We can expect to see many more
companies do this.

As more of our entertainment and the world's valuable information move
into the realm of digital content we are sure to see a plethora of
content protections schemes. They will be built into software viewers
and browsers, operating systems, and the hardware itself: laptops,
televisions, video cameras, telephones, stereos, and practically every
electronic device. Will it all be off limits to reverse engineering?
Are we going to lose this important resource for learning about the
risks of living in our high tech society?

This is a future that is scary to me. One of the notions that was born
out of the Enlightenment is that at the core of human nature lies the
need to inquire about the world around us. As we move our discourse
and society into the digital realm it will be a tragedy to lose this
fundamental freedom which has served us so well.

Weld Pond is the manager of research and development with security
firm @stake Inc.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".