[arcwhite]

Lots of people suggesting that either company was out of line here, but like, CFAA is still a thing (assuming OP is in the USA) and it's still got gnarly teeth. Let alone the possibility of industrial espionage allegations...

If you're going to go hack on a company, make sure you have some legal protection first. Check disclose.io or the company's website (look for a security.txt!) to make sure there's some sort of safe harbor provision, or a pre-existing vulnerability disclosure program or bug bounty program that allows you to do this kind of testing.

If you're not going to do that, then disclose the vulnerability anonymously and cover your ass while you're testing, or just don't.

Meanwhile if you're an American please write your local representative and express your displeasure with the antiquated, overly-simplistic CFAA and ask them to support initiatives to have it replaced or removed.

[mmaunder]

CFAA isn’t going away.

> If you're not going to do that, then disclose the vulnerability anonymously and cover your ass while you're testing, or just don't.

No. Just don’t. Know that video about not talking to the police because they interrogate people all day long and you’re an amateur in a pro fight? Same thing with infosec. We attribute IOCs to noobs all day long.

You don’t need a criminal record. It’ll ruin many parts of your life. I have friends who can confirm that the record they got in their late teens or early 20s closed many doors. Join a formal bug bounty platform and find legitimate work there.

[arcwhite]

> CFAA isn't going away

There's some pretty concerted efforts in play to at least have it updated and tempered, which could have legs. I don't hold much hope it'll go away but I do think some of these efforts to have it replaced could have legs.

> No. Just don’t.

Yeah, fair, I mean I'm all too aware of the consequences myself, but within this setting telling a bunch of people "thou shalt not" seems almost more harmful (IMO it's akin to saying "never roll your own crypto" which someone inevitably ends up taking as a challenge)

[Buttons840]

Until we fix the laws, I'd suggest just letting the world burn until voters and lawmakers get tired of half the country's personal data being stolen once a month and make a safer landscape for hackers to report vulnerabilities.

[borski]

I do hope those efforts succeed. I think the parent meant to state "hasn't gone away," but even if they didn't, the point remains if you replace that.

I hate the CFAA, to be clear; it's just definitely still the law.

[erosenbe0]

Industrial espionage is not involved here. This is just reverse engineering that escalated into something that might be misconduct.

Espionage would include things like illegally surveilling the competitor's networks, bribing their employees for information and credentials, using malware to create backdoors, social engineering, blackmail, poaching their talent and incentivizing unethical disclosure of trade secrets, and cracking systems that explicitly bar access.

Reverse engineering their product through public IPs is legally acceptable up to CFAA boundaries, which are fuzzy, and it's not clear what kind of exploits were involved in this situation. They may have been relatively benign reverse engineering, or they may have been something associated with civil and criminal penalties.

[tptacek]

From exactly where do you draw the conclusion that "reverse engineering a product through public IPs is legally acceptable up to CFAA boundaries"? What are those "CFAA boundaries"? There is no exception to the CFAA for "reverse engineering"; there is only exceeding your authorization, or not.

There is a lot of authoritative writing about the legality of reverse engineering (long story short: reverse engineering is mostly fine, legally) --- but that writing covers reverse engineering stuff running on your own computer. It categorically does not extend to reverse engineering software running on other people's computers without their permission. You'd easily get into a bunch of trouble assuming otherwise.

A lot of terrifying stuff on this thread! It's good this person already has a lawyer.

[erosenbe0]

I agree with you that reverse engineering does not extend to anything one pleases on the internet.

I also don't see game-modders or game cheaters regularly going to prison even though gaming is an enormous industry.

So clearly there is some tolerance as connectivity being ubiquitous blurs the line a bit though. An app I reverse engineer on my device, may as a side-effect make some communications with a third party asset, though primarily it is all my stuff. The same applies to a cars and other items, surely.

That being said financial account creation is definitely NOT the place to take risks. Same with government systems. Pretty quick many other laws and regulations ij the book come into play. They can be very broad too.

[tptacek]

The bright line here is between code running on machines you own, and code running on machines you don't own. It's not complicated.

[tsimionescu]

You personally reverse engineering an app on your phone has been quite well established as legal.

You releasing a competing product after having personally worked on reverse engineering someone's product is a lot murkier, and easily opens you up to copyright lawsuits, which you'll have a hard time fighting if you do happen to have similar code, since in copyright it matters not just if the code was similar, but also whether it's likely that you actually copied it (unlike patent law).

This can and has been done, but normally you want a very clear firewall between the reverse engineering team and the dev team, with lots of paperwork proving that no-one on the dev team ever saw a line of code from the reverse engineering team - they were only told concepts and ideas, which are not copyrightable. This is how the first free Unix was created, for example.

[arcwhite]

The perception of the possibility of the perception of industrial espionage is usually enough to get a lawyer choked up in cases like this - I wasn't saying there WAS industrial espionage, just that there might have been the possibility of painful allegations thereof...

[gameswithgo]

I hope one day you are never a victim reading some asshole talk down to you about why it your fault.