Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Is reverse engineering a saleable skill?
19 points by dhruvkar 3 days ago | hide | past | web | favorite | 18 comments
Wanting to make (for purely personal use) CLI tools out of commonly used apps, I got into discovering undocumented APIs a couple years ago and it's been a lot of fun.

Recently, I got into decompiling android apps and hunting through source code to find how their security works and mimicking it on my end.

The pay-off is so little (e.g. instacart automated delivery, jimmy johns cli ordering etc.), but I'm absolutely in love with the process.

My day job is an odd mixture of managing operations and logistics at our warehouses and writing code (python/django), so I have limited exposure to software companies.

There was a recent thread on unofficial APIs, so I ask --

Is this a skill that saleable in any way? Are there roles for this kind of thing?

"Malware analysis" is a subfield you're likely becoming qualified for, but it's a relatively small field, especially compared to your Django skilset.

Joining a CTF team (e.g. the team I play on! OpenToAll) would be a good way to build on the skills and meet some professional reversers to network with.

>> Joining a CTF team

Thanks for that! I just submitted the registration form for OTA, looking forward to it!

I'm surprised that bug bounties haven't been mentioned yet. Sites like HackerOne and BugCrowd allow you to use (and improve) your skills while also potentially making some money while doing it. While HackerOne has a lot of web bounties there are a few mobile and desktop application bounties as well.

Thanks, going to check out both.

Yes, but you need a reputation to get paid.

Ifixit is a company that is built around reverse engineering consumer electronics. I also read about a company that completely breaks down cars to determine the cost of manufacturing. And we see it all the time with "Security specialists" who do their best to find security faults by partially reverse engineering apps and such.

The early IBM clones were built by reverse-engineering the first machines from IBM.

To get a reputation, I would start a blog, break down and explain whatever you find interesting. Keep in mind that it will take a lot of work to get started but if you love it, it might be lots of fun. It's important to focus and be consistent.

>> Ifixit, IBM, Cars

Brilliant examples, I never thought about it like that!

Yes, but if you aren't formally trained in this, you have to build a reputation in order to get a good job.

I did really neat things as a kid, but because I didn't broadcast it or document it, it doesn't seem to matter much to employers.

Start a blog & track your progress. Discuss your hobby with other people that like it. Try to help others.

>> Start a blog & track your progress.

Thanks for that. Writing is a skill that I have failed time and again to develop. The 6 months I blogged, I still refer to those notes after 2 years. It's so valuable.

There a definitely RE and software roles than involve RE roles out there, but I imagine you have to be pretty good at it. Thebreverse engineering subreddit has job threads. Not sure how a hobbyist could break in, givenbthat most side projects probably toe the legal side of things outside of CTF challenges and such

>> reverse engineering subreddit

Thanks for this resource, I just joined.

Find 0Days. Sell them.

Edit: Also, you can try to find info leaks from public companies. For instance, back when Fitbit only sold one device for one price. Roughly one user profile meant one sale. The profile page was just /profile/[Base58 Encoded Number] and the number was a sequential ID. I was able to predict their earnings pretty well for a quarter or two but then they started selling more devices and the correlation was made more uncertian. If you find something like that. A tangible signal, it's on inherent worth to *funds.

I found zerodium.org for selling 0days among other hacks.

Are there other marketplaces for this?

Look into the security side of things.

I did some research a few years ago doing the same sort of thing with jruby and android APKs and it is a lot of fun but the main applications of it are going to be in security, competitive analysis, and occasionally hacking things for one-off integrations.

Be able to tell a story or two about doing it. If you can go 5 minutes deep on a couple of subjects and be at least a little entertaining while you do it, you'll get some job offers.

>> Be able to tell a story or two about doing it

That's a great rule of thumb for anything! Thanks for that.

>managing operations and logistics

>Is reverse engineering a saleable skill?

Do you really want a pay cut?

All pay is not necessarily cash. Job enjoyment, after you obtain the a certain level is often more important.

Wouldn't security pay a lot more in the long run?

My impression was security researchers (good ones), get paid at or above a software engineer?

'managing operations and logistics' is not software engineering. Its a management position with clear and direct positive influence on the bottom line of the company and well defined promotion track all the way up to CEO (for example Apple).

As for security work, ask someone on top of the game like Charlie Miller https://www.washingtonpost.com/world/national-security/secre... The only clear path to serious money leads to black market.

Security, maintenance, even software engineering are most often booked as business expense. Nobody invests in security, they incur it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact