
Ask HN: Is reverse engineering a saleable skill? - dhruvkar
Wanting to make (for purely personal use) CLI tools out of commonly used apps, I got into discovering undocumented APIs a couple years ago and it&#x27;s been a lot of fun.<p>Recently, I got into decompiling android apps and hunting through source code to find how their security works and mimicking it on my end.<p>The pay-off is so little (e.g. instacart automated delivery, jimmy johns cli ordering etc.), but I&#x27;m absolutely in love with the process.<p>My day job is an odd mixture of managing operations and logistics at our warehouses and writing code (python&#x2F;django), so I have limited exposure to software companies.<p>There was a recent thread on unofficial APIs, so I ask --<p>Is this a skill that saleable in any way? Are there roles for this kind of thing?
======
cjbprime
"Malware analysis" is a subfield you're likely becoming qualified for, but
it's a relatively small field, especially compared to your Django skilset.

Joining a CTF team (e.g. the team I play on! OpenToAll) would be a good way to
build on the skills and meet some professional reversers to network with.

~~~
dhruvkar
>> Joining a CTF team

Thanks for that! I just submitted the registration form for OTA, looking
forward to it!

------
jetti
I'm surprised that bug bounties haven't been mentioned yet. Sites like
HackerOne and BugCrowd allow you to use (and improve) your skills while also
potentially making some money while doing it. While HackerOne has a lot of web
bounties there are a few mobile and desktop application bounties as well.

~~~
dhruvkar
Thanks, going to check out both.

------
WheelsAtLarge
Yes, but you need a reputation to get paid.

Ifixit is a company that is built around reverse engineering consumer
electronics. I also read about a company that completely breaks down cars to
determine the cost of manufacturing. And we see it all the time with "Security
specialists" who do their best to find security faults by partially reverse
engineering apps and such.

The early IBM clones were built by reverse-engineering the first machines from
IBM.

To get a reputation, I would start a blog, break down and explain whatever you
find interesting. Keep in mind that it will take a lot of work to get started
but if you love it, it might be lots of fun. It's important to focus and be
consistent.

~~~
dhruvkar
>> Ifixit, IBM, Cars

Brilliant examples, I never thought about it like that!

------
TheAdamAndChe
Yes, but if you aren't formally trained in this, you have to build a
reputation in order to get a good job.

I did really neat things as a kid, but because I didn't broadcast it or
document it, it doesn't seem to matter much to employers.

Start a blog & track your progress. Discuss your hobby with other people that
like it. Try to help others.

~~~
dhruvkar
>> Start a blog & track your progress.

Thanks for that. Writing is a skill that I have failed time and again to
develop. The 6 months I blogged, I still refer to those notes after 2 years.
It's so valuable.

------
non-entity
There a definitely RE and software roles than involve RE roles out there, but
I imagine you have to be pretty good at it. Thebreverse engineering subreddit
has job threads. Not sure how a hobbyist could break in, givenbthat most side
projects probably toe the legal side of things outside of CTF challenges and
such

~~~
dhruvkar
>> reverse engineering subreddit

Thanks for this resource, I just joined.

------
piracy1
Find 0Days. Sell them.

Edit: Also, you can try to find info leaks from public companies. For
instance, back when Fitbit only sold one device for one price. Roughly one
user profile meant one sale. The profile page was just /profile/[Base58
Encoded Number] and the number was a sequential ID. I was able to predict
their earnings pretty well for a quarter or two but then they started selling
more devices and the correlation was made more uncertian. If you find
something like that. A tangible signal, it's on inherent worth to *funds.

~~~
dhruvkar
I found zerodium.org for selling 0days among other hacks.

Are there other marketplaces for this?

------
dpeck
Look into the security side of things.

I did some research a few years ago doing the same sort of thing with jruby
and android APKs and it is a lot of fun but the main applications of it are
going to be in security, competitive analysis, and occasionally hacking things
for one-off integrations.

Be able to tell a story or two about doing it. If you can go 5 minutes deep on
a couple of subjects and be at least a little entertaining while you do it,
you'll get some job offers.

~~~
dhruvkar
>> Be able to tell a story or two about doing it

That's a great rule of thumb for anything! Thanks for that.

------
rasz
>managing operations and logistics

>Is reverse engineering a saleable skill?

Do you really want a pay cut?

~~~
dhruvkar
Wouldn't security pay a lot more in the long run?

My impression was security researchers (good ones), get paid at or above a
software engineer?

~~~
rasz
'managing operations and logistics' is not software engineering. Its a
management position with clear and direct positive influence on the bottom
line of the company and well defined promotion track all the way up to CEO
(for example Apple).

As for security work, ask someone on top of the game like Charlie Miller
[https://www.washingtonpost.com/world/national-
security/secre...](https://www.washingtonpost.com/world/national-
security/secrecy-surrounding-zero-day-exploits-industry-spurs-calls-for-
government-
oversight/2012/09/01/46d664a6-edf7-11e1-afd6-f55f84bc0c41_story.html) The only
clear path to serious money leads to black market.

Security, maintenance, even software engineering are most often booked as
business expense. Nobody invests in security, they incur it.

~~~
dhruvkar
Right, that it is and possibly I'll make a good amount of money that way.

However, we're a small company with lots of dependencies. E.g. To make $10M in
revenue we need ~30 employees, forklifts, trucks, warehouses etc. and are able
to run it at 10-20% margins. That's a lot to manage.

I'd rather be able to command a skill-based $300-$500K a year solo, no?

That article is 8 years old. Is it still as valid?

Would security, as a contractor, not be worth much more without

