[wolfgke]

> I'm inclined to agree that people who commit "crimes of skill" are better able to repay their debt to society by using their ability for good rather than rot in a cage.

I agree with the mind of this statement. The problem is: For lots of such skills, it is hard to find jobs where these are needed (for example reverse engineering). Based on my personal observation, to stay in the example, there exist much more skilled reverse engineers than jobs where these skills are useful/needed.

[blackflame7000]

Do you have any idea how many engineers on a daily basis are either reverse engineering some government weapon, or a competitions product, or a geopolitical strategy? Being able to understand exactly how things work, allow you to anticipate and even dictate how they will behave.

[aerovistae]

I find this profoundly unlikely.

[wolfgke]

> I find this profoundly unlikely.

I know lots of examples where this is the case (I am talking about Germany, where the situation might be a little different, but I do not believe that the difference is too large).

I know some really great reverse engineers who have difficulties to find a decent job (they get through with some badly paid jobs that are far below their skills).

I can assure that I have hardly ever seen a job ad where reverse engineering (as in software) skills are even mentioned. And I openly admit that I (who also have some knowledge in reverse engineering) would not even know where to ask/look for a job that gratifies such skills. Be assured that I would have passed on such job hints if I knew of any.

In my observation the whole "IT security" scene (I am aware this is a somewhat different area than reverse engineering) is a close-knit circle that is hard to get into. If you are able to get into, I have strong evidence that the salary is actually rather good. But I have no idea how to get into the inner circle where the job offers await.

Seriously: I have some colleagues who even asked me with my knowledge about security why I do not get into this the field of activity of IT security. I tell them to give me hints how to get into this inner circle where the interesting job offers await. None of these loudmouths could tell me. Of course...

EDIT: I could go on and on. The statements stay the mostly the same all the time: Where can such a person find job offers?

[blackflame7000]

Reverse Engineering is a much broader field than simply in the context of software engineering. But it takes an engineering mind to be able to replicate another engineers work. Other examples include: bomb squad detectives, Root cause analysis experts, market/competition research, Prototyping(taking apart an existing product and adapting it to make a new one). NTSB agent which I think would be really interesting.

[wolfgke]

> Reverse Engineering is a much broader field than simply in the context of software engineering.

I will not disagree. But I am explicitly talking about reverse engineering as in the original article (i.e. mostly software and to a lesser (but not less important) sense electronics).

I do not know enough details about the other segments that you mention to make deep statements about them. But I am pretty confident in my opinion that the kind of skills that you require for them are really different from those that you need for software/electronics reverse engineering. What I want to say with this: The skills that you need for hacking an XBox (as in the article) do hardly ever transfer to any of your examples (bomb squad detectives, Root cause analysis experts, market/competition research, Prototyping, NTSB agent).

[kumarharsh]

I can think of some fields where these kids would be well suited - like employing them to make the XBox Live/PS/Steam gaming networks more secure, or employed by game companies to root out the cheaters (Sea of Thieves being a very recent example of a game infested with too many cheats).

[wolfgke]

> I can think of some fields where these kids would be well suited - like employing them to make the XBox Live/PS/Steam gaming networks more secure

In my opinion/experience, finding loopholes/security bugs in an existing system and designing systems that are unprone to security bugs are two very distinct skills. It is quite imaginable that many people that people who work in the branch become good at both, but being good at one of them does not make you good at the other.

EDIT: The only kind of knowledge that comes spontanously to my mind that transfers well between both areas is having an immense amount of obscure knowledge about weaknesses in lots of protocol designs.

[blackflame7000]

Of course, they do! Reverse engineering is the skill of being able to see how things are put together without having the whole picture. It's having an intuition of where to find the clues to solve the bigger puzzle. From decerning which chip to decode to find the encryption key, to deducing that a broken fan blade is the only item that could strike a window at high enough velocity to shatter it, the skills are the same. A software reverse engineer is good because they possess many of the same traits as other types of reverse engineers. It's just a matter of how they apply their skill.

[wolfgke]

First: I respect your view on this topic.

> Of course, they do! Reverse engineering is the skill of being able to see how things are put together without having the whole picture.

I disagree and have done quite some reverse engineering out of private interest. To me it was mostly about learning and applying an excessive amount of knowledge about obscure trivia that can hardly be applied anywhere else (except perhaps for some really rare embedded developing stuff), such as knowledge about some obscure flags in the linker format, knowledge about aracane details of the call convention and instruction encoding, arcane features of the respective CPU/chipset that probably only OS developers are even aware of, etc.

This is what > 90% of reverse engineering consist of for me: Learning/having/applying an immense knowledge of a giant amount of arcane details that are hardly useful anywhere else.

> It's having an intuition of where to find the clues to solve the bigger puzzle.

I am not aware that I have used a lot of intuition. It is rather a lot about documenting everything well, documenting how each subsystem/function relates to others, ... lots of long, monotonous (but not boring) documentation. The reasons is that if you do not document a lot, you will soon be struck by the immense amount of details. A little bit like how you would document the inner workings of a space ship that landed on earth exhaustively in terms of lots engineering diagrams.

[WonkeyMonkey]

As you say infoSec groups are _very_ close-knit. Normally forming groups based off of geographic location due to regular social meetups. These groups also are normally all part of an online chat (think irc, but most people have moved onto some other platform these days)

If someone were looking to join the easiest way would be find a conference near you. In the US pretty much any major city has these, but in other countries I'm sure they are just as common. Some are very professional, some are less so. If there is copious amounts of drinking you're at the right place. Generally the smaller the conference the better, so that also means less advertising and harder to find

Lots of different InfoSec groups go to meetups so at that point just talk to as many people as you can, it might seem difficult to break into a group without anyone to vouch for you but most of the time everyone is open to newcomers

[lagadu]

As someone who does work in security: the field is far wider than you seem to imply really.

When you say "IT security" do you mean pentesting? Access management? Network security? ISO 27001 auditing? Working with any of the many security-related software suites around?