Tags: Security
Bad-guys, 1, Good Guys, nil.
March 23rd, 2005, by Rich.
Reverse engineering of a real world object like the Eiffel Tower, would require a few theodolites, perhaps a tape measure or two and a big sheet of paper, in order to create a set of blueprints from which an identical tower could be built.
In computing, it’s a simlar process, the low level computer code that makes up a program can be turned into higher level code that humans find more palatable. The result, is a set of “blueprints” that allow an experienced software engineer to go beyond an understanding of what a program does; they know how the program does it .
Legally, this has been a grey area for some time. Although there are commercial & contractural technicalities that make reverse enginering code “a little bit illegal”, there are some important benefits.
To understand the benefits it’s first necessary to accept that there are some people in the world who are inherently naughty, and who will therefore reverse engineer code, and exploit any weakness they find - because they can, and because they don’t care about the consequences. Typically, an exploitable weakness will be something very simple that enables an attacker to gain control of a machine.
There are an opposing group of noble, unsung-superhero-type-good-guys who also reverse engineer stuff, but they don’t do bad things with it. Instead they analyse the vulnerabilities of many different pieces of software, and improve the process of software engineering by talking about the problems they see - because they can, and becasue they do care about the consequences.
Today, a French court has convicted a security researcher (one of the people in the second group) and dished out a €5000 suspended fine for the crime of reverse engineering an anti-virus product which he proved was open to exploitation.
So - all French superheroes are now open to large fines if they publish their findings. This means that they won’t publish. This will do nothing to stop the naughty people from reverse engineering software and exploiting the weaknesses, but it will stop the software manufacturers from improving their code, because the flaws won’t be found, not in France anyway.
Zoot alors.
Bad-guys, 1, Good Guys, nil.
January 19th, 2008 at 8:38 pm
well, if france is anything like the US, those companies are more worried about securing their secrets than protecting their customers. god forbid someone alert us that our keys are in the door - we’d much rather accuse them of scouting our home for invasion… because, logically, thats why they mentioned it.