Ask HN: Am I allowed to reverse engineer an Internet service and blog about it?

6 points by nicothieb ↗ HN
I've been working lately with a reverse proxy to pen test our own app and I actually see some very interesting network traffic on both my laptop and my phone. I would like to investigate services I use and blog about how they work. I find it being very instructive but fear potential legal consequences.

Examples of such services are iCloud, Dropbox, Facebook, etc..

7 comments

[ 0.22 ms ] story [ 34.1 ms ] thread
Interesting, how do folks who find security holes and blog about it get around this type of thing? I imagine you are worried about this, or IP issues?
I don't plan in exposing security issues. I'm just worried that if you write a post on how iCloud backs up your device on S3 someone might feel offended.
FWIW I'd be into these posts.
> Am I allowed to reverse engineer an Internet service and blog about it?

Possibly and in some cases, however this might run afoul of the laws that prohibit defeating computer security schemes.

My point is that the answer is not simple, and a behavior that may be completely acceptable for case A might be a felony in case B.

Source: http://www.law.cornell.edu/uscode/text/18/2701

Quote: "(a) Offense.— Except as provided in subsection (c) of this section whoever—

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section."

Most of these services have public documentation about how they work in terms of network oriented APIs, or failing that some sort of SDK whose structure will typically be representative of the network traffic. For example this is what Dropbox say https://www.dropbox.com/developers/core/api

You can reverse engineer protocols for the purposes of interoperability in Europe. However there are various fine print details that matter and changes in the last few years. The wikipedia page has a summary and references to the legislation http://en.wikipedia.org/wiki/Reverse_engineering#European_Un...

However if those services have been written correctly they will be using SSL and you shouldn't be able to see what is going on with network sniffers (other than DNS names and traffic analysis).

That means reverse engineering the software which is hard and time consuming (eg you need to know assembly and using debuggers at that level). Some like Skype use anti-reverse engineering techniques. Tools like IDA help as a starting point.

However chances are that all that software you downloaded had some sort of click agreement that you agreed to saying you won't reverse engineer the software. That adds another layer of legal issues you need to address.

You can actually analyse most ssl traffic with a man in the middle proxy. All you need to do is to reencrypt the the data with your own certificate and accept to signing certificate as trusted on your computer.

SSL is not obfuscation, it is about maintaining a chain of trust.

I've written one of those before(1). For general browser traffic it isn't problem since you can add the proxy cert to the browser or whatever it uses. For apps (ie non-browser) it will depend on their certificate checking code, which for best practise should not accept any old gunk the OS/browser does.

(1) For a test I used my bank which had all sorts of RSA checked and similar logos all over the "secured" pages. Needless to say those logos remained even though I was going through a man in the middle.