[erosenbe0]

Industrial espionage is not involved here. This is just reverse engineering that escalated into something that might be misconduct.

Espionage would include things like illegally surveilling the competitor's networks, bribing their employees for information and credentials, using malware to create backdoors, social engineering, blackmail, poaching their talent and incentivizing unethical disclosure of trade secrets, and cracking systems that explicitly bar access.

Reverse engineering their product through public IPs is legally acceptable up to CFAA boundaries, which are fuzzy, and it's not clear what kind of exploits were involved in this situation. They may have been relatively benign reverse engineering, or they may have been something associated with civil and criminal penalties.

[tptacek]

From exactly where do you draw the conclusion that "reverse engineering a product through public IPs is legally acceptable up to CFAA boundaries"? What are those "CFAA boundaries"? There is no exception to the CFAA for "reverse engineering"; there is only exceeding your authorization, or not.

There is a lot of authoritative writing about the legality of reverse engineering (long story short: reverse engineering is mostly fine, legally) --- but that writing covers reverse engineering stuff running on your own computer. It categorically does not extend to reverse engineering software running on other people's computers without their permission. You'd easily get into a bunch of trouble assuming otherwise.

A lot of terrifying stuff on this thread! It's good this person already has a lawyer.

[erosenbe0]

I agree with you that reverse engineering does not extend to anything one pleases on the internet.

I also don't see game-modders or game cheaters regularly going to prison even though gaming is an enormous industry.

So clearly there is some tolerance as connectivity being ubiquitous blurs the line a bit though. An app I reverse engineer on my device, may as a side-effect make some communications with a third party asset, though primarily it is all my stuff. The same applies to a cars and other items, surely.

That being said financial account creation is definitely NOT the place to take risks. Same with government systems. Pretty quick many other laws and regulations ij the book come into play. They can be very broad too.

[tptacek]

The bright line here is between code running on machines you own, and code running on machines you don't own. It's not complicated.

[tsimionescu]

You personally reverse engineering an app on your phone has been quite well established as legal.

You releasing a competing product after having personally worked on reverse engineering someone's product is a lot murkier, and easily opens you up to copyright lawsuits, which you'll have a hard time fighting if you do happen to have similar code, since in copyright it matters not just if the code was similar, but also whether it's likely that you actually copied it (unlike patent law).

This can and has been done, but normally you want a very clear firewall between the reverse engineering team and the dev team, with lots of paperwork proving that no-one on the dev team ever saw a line of code from the reverse engineering team - they were only told concepts and ideas, which are not copyrightable. This is how the first free Unix was created, for example.

[arcwhite]

The perception of the possibility of the perception of industrial espionage is usually enough to get a lawyer choked up in cases like this - I wasn't saying there WAS industrial espionage, just that there might have been the possibility of painful allegations thereof...