On Reverse Engineering

It has been a bit horrifying to watch the BitKeeper saga unfold. Not that it’s surprising of course that Larry rescinded the BK Linux license; if you know Larry or even know of him, you know that Larry’s tragic flaws — hypersensitivity, volatility and vindictiveness — made this an inevitability of sorts.1 So the horrifying bit has not been the act itself, but rather the specific reason that Larry cited when rescinding the license: he seems to have taken issue with Tridge’s attempt to reverse engineer the BitKeeper protocols. This rankles; I (like many engineers, I suspect) view reverse engineering as a Natural Right. That is, I believe that we are endowed with certain unalienable Rights, and that among these are Life, Liberty and the pursuit of Understanding how the hell something works (or doesn’t, as is frequently the case). Perhaps perversely to some, it is my strong belief in the right to reverse engineer that leads me to my equally strong belief in the responsibility of government to establish a system of patents: if you use my product, you have the right to take it apart and understand its inner workings, but I have the right to protect my intellectual property by patenting the novel mechanism that represents a non-obvious advance in the state of the art. That is, it should be the protection afforded by patents — and not the obfuscation inherent in a running system — that prevents the rip-off artists.2 My belief reflects the fact that nearly all applications of reverse engineering do not in any way violate anyone’s intellectual property — and the act itself and alone can never violate intellectual property.

I believe strongly in reverse engineering in particular, but it plays an especially critical role in the development of software: in my experience, when developing a layer in the stack of software abstraction, you always need to understand at least one layer below you and you often need to understand at least one layer above you — and reverse engineering is often the primary means to achieve this understanding. More generally, software is usually reverse engineered to work around oversights or blunders, or to simply understand a software system sufficiently well to interoperate with it. It is in part out of the recognition of the importance of reverse engineering in software development and integration that we developed DTrace — a tool which many regard as the ne plus ultra of software reverse engineering.

Returning to the case at hand, if BitMover believes that Tridge violated one of its patents, fine — BitMover should sue for infringement.3 But to rescind the free BK license simply because someone dared to even understand how it works is just…cowardly. In doing this, BitMover is exhibiting classic Bad ISV Behavior: they are devoting their efforts to preserving their natural monopoly (such as it is) over their own users — joining the fetid ranks of the ISVs that have demanded that we disable DTrace for their application. And it adds insult to injury for Torvalds to condemn Tridge for “ruining it for everyone.” Tridge “ruined it for everyone” just like Rosa Parks and Helen Gahagan Douglas and Nathan Hale and anyone else who ever took a stand for what was right. And I don’t mean this comparison to diminish the courage that it took these others to stand up to tyranny, but rather to underscore the degree that I believe that reverse engineering is a Natural Right. So I, for one, hope that Tridge continues to reverse engineer BitKeeper — and I would be honored if DTrace helped him do it.


1 I actually like Larry — he’s sharp, forthright, and engaged and he can be very sweet — but I do view him as ultimately tragic…

2 I also believe that patents have gotten way out of hand, and that the proliferation of bad software patents represents a serious problem — but that doesn’t change my feelings about patents in the abstract.

3 Of course, BitMover is unlikely to do this, for several reasons. First, it seems highly unlikely that Tridge has violated any BitMover patents if he has only reverse engineered the protocol. Second, even if he has somehow managed to violate a patent, there’s the little problem of damages to BitMover — or rather, the lack of such damages; if there aren’t damages, treble damages still amount to nothing. Third, even if there were enormous damages, who would pay them Suing Tridge is not likely to be terribly gratifying; I can’t imagine that his pockets are deep enough to even pay the substantial expense of just prosecuting patent infringement. And both Tridge and OSDL claim that the work was done in his spare time; if it wasn’t done using OSDL equipment, there isn’t much of a case to be made against OSDL. Finally, there is a more practical reason that BitMover is unlikely to sue for patent infringement: suing a well-known White Knight in the open source world for patent infringement would likely cause several megacorps with large patent portfolios to carefully review both their patents on SCM and the prior art in same. If BitMover is lucky, this would only result in a deluge of amicus briefs; if BitMover is unlucky, it would find itself buried in enough counter-litigation to destroy the company.

Posted on April 15, 2005 at 1:55 pm by bmc · Permalink
In: Solaris

8 Responses

Subscribe to comments via RSS

  1. Written by oz
    on April 15, 2005 at 4:44 pm
    Permalink

    bryan, if sun had a bitkeeper license for solaris change management, would you try to reverse engineer it against the license terms? if you did, what would you expect the reaction of our management to be, and what would you expect bitmover’s reaction to be?

  2. Written by nld
    on April 15, 2005 at 5:05 pm
    Permalink

    I find one detail largely missing from this discussion. Reverse engineering may be a right, but all rights can be waived. This is the case with the free bk license. If you want the ability to reverse-engineer the software, by all means pay for a license. If you are willing not to, then you can use the free version.
    I think that the one fuzzy bit of this discussion is the legal clarafication of who has agreed to the license in this case. Clearly the developer who was reverse engineering the bk protocol had not accepted it, though his employer had (presumably as an organization). I can’t claim to really speak to the value of this distinction.

  3. Written by lm
    on April 15, 2005 at 6:13 pm
    Permalink

    Hey Bryan,

    Long time no talk, good to see you weighing in with an opinion, which is interesting as always.
    And for the record, I like you too. I hired your college prof and he and I both think you are a great young engineer with a bright future. I’d love to hire you (and Mike S and Bonwick and …). The dtrace stuff is cool and we’re doing something similar with our database technology, you’d like it. You’d fit in here just fine, most of our technical processes are based on yours. We even have cstyle (with permission from Shannon :)

    Perhaps a few tidbits of information might interest you:

    Our customers are very pleased with the decision to focus on their needs.

    We’re not dropping our support of open source. We’ll continue to maintain the kernel in BK.
    We’re working with other groups, like MySQL, Xaraya, etc., to convert them to commercial in a way that works for them and the response has been overwhelmingly positive.

    We’re currently spending about $500K/year to support the open source community. As you know, we’re a small company and that is a big enough number to us that we notice it. We can afford to do it, it’s not that big of a deal, but we do notice it. And so do our customers. Our customers would prefer that we spent that money helping them rather than helping people who are attempting to damage our business.

    The BitKeeper we give away for free is junk compared to our commercial version. It doesn’t scale, it doesn’t handle binaries well, the network protocol sucks, etc. It’s our first pass, and we have pass 2 in the wings. It’s dramatically better. Are you suggesting we give that away to be copied as well?

    Here’s a thought problem for you.
    Imagine that Adobe gave away photoshop with a license that said “have it but don’t reverse engineer it” and people ignored the license. Would you fault Adobe for pulling the plug? If so, why? Aren’t they doing a nice thing by giving you a valuable product for free? Should you repay them by telling them it is your “Natural Right” to reverse engineer? If that’s your attitude, as a responsible member of society, doesn’t that mean that you are telling everyone “don’t give away anything, we’ll just copy it”? Imagine that you are running Adobe, you want to help the Linux crowd so you give away photoshop. How would you react to people copying something that you gave to them?

    The point is that people are reverse engineering something that they got for free with terms that said “don’t reverse engineer”. It’s not like they paid for it. If the open source community paid for their use of BK we’d have an extra $65,000,000 per year. That’s how much we are giving away. And you are arguing that that is not enough and we should also allow you to reverse engineer our gift. You may be right, it’s hard for me to see how, perhaps you can explain it to me?

    I realize that it is all the rage to beat up on BitMover and me specifically but come on, are you seriously suggesting you would do something differently? Pray tell, what would that be? If you have a good answer for this I’m listening.

  4. Written by Bryan Cantrill
    on April 15, 2005 at 7:47 pm
    Permalink

    Hey Larry,

    Not that I would have expected any less, but thanks for the thoughtful response.

    To be clear, I take no issue with your right to the business decision of eliminating the free BK — it’s your software, and you’ve got the right to your license terms. Rather, I take issue with the pretense that the decision was based on the fact that the free BK was being reverse engineered. I would rather the decision be made on purely business grounds; if you had said “we’re wasting too much money on this, especially with you people insisting on giving every gift horse a root canal,” you wouldn’t have heard a peep from me. (Perhaps a chuckle, but no peep.) But I sympathize with your position: phrasing it as a pure business decision would have saved you no wrath from the zealots, who don’t seem to understand that there are payrolls that have to be met. So am I suggesting that you shouldn’t have pulled the free BK? No, that’s your decision. But I am suggesting that the Natural Right to reverse engineer — and Tridge’s actions specifically — should not be casualties of that business decision.

    And I’m not telling anyone to “copy” anything; if reverse engineering is used to infringe on a patent, it’s exactly that: patent infringement. And frankly, the patent system wouldn’t be in such shambles if a few more patent infringment cases went to trial — allowing cases to settle eliminates an important check against bogus patents. So if reverse engineering is being used to infringe a patent, by all means, go get ‘em — but don’t confuse reverse engineering with infringement.

    Now, seeing as you gave me a thought experiment, let me give you one: what constitutes reverse engineering? If I’m snooping your packets to solve some problem, am I reverse engineering your software? What if I’m truss’ing the application? What if I’m using DTrace on it? Where do you draw the line, and how?

  5. Written by Bryan Cantrill
    on April 15, 2005 at 8:09 pm
    Permalink

    Oz and nld,

    The EULA’s position on reverse engineering is not terribly interesting absent court decisions upholding it — what a company makes you sign and what a court finds to be legally binding are often two very different things. (Witness the companies in California that still make prospective employees sign non-competes — even though non-competes are completely unenforceable in California.) I think the discussion is also largely immaterial to the specific case of Tridge and BK — he (supposedly) never agreed to a license, and was not using the software himself. Given that in Samba Tridge has reverse engineered Old Scratch himself, I trust that he knows how to reverse engineer without getting trapped by an ornerous EULA…

  6. Written by lm
    on April 16, 2005 at 11:43 am
    Permalink

    I think you are getting fixated on your “right” to reverse engineer, a fairly normal feeling for any scientist since science is all about knowledge and locking up knowledge just feels wrong.

    A discussion of reverse engineering misses the point in this case. Which is: BK was free. We’re not talking about a product for which you paid, we’re talking about a product that was free and came with terms that said “you get this only if you agree to not reverse engineer it and not help anyone reverse engineer it”. So there was a price tag and that was it. There was an explicit agreement that there wouldn’t be reverse engineering in return for which people got BK for free. Pretty simple arrangement and it worked for almost 6 years.

    So why would we do this if we knew it was going to be controversial? We know that stuff gets copied, everything good gets copied sooner or later. It’s that sooner or later that was the point. By giving away the product it was getting into far more hands and minds. And the people who were getting it for free are the people most likely to copy the technology. If they copy it and put us out of business we couldn’t provide the support we’ve been providing for free for ~6 years.

    Lots of people will jump up and suggest a support based business model. It simply doesn’t work for this market space. Compare us to MySQL, they are open source, they do support and they are making money. Why can’t we do that? Believe me, I’d love that. Let’s compare: MySQL: it’s a database and only a tiny percentage of the users believe that they could rewrite MySQL. BK: it’s an SCM and virtually all of the users believe they can rewrite BK. MySQL has a much easier job convincing a bank to give them support money than we have convincing Sun to pay for BK support. Right? If BK were open source you’d say exactly what you are currently saying about Teamware: it’s not that big of a deal, we can fix it, we don’t need support. All engineers think SCM is easy until they try to build one. But those same engineers wouldn’t dream of suggesting that a database is trivial and they can build one.

    So we’re back to the same nasty problem: give it away and lose the technology or don’t give it away and lose the ability to help out Linus. While you and many others have said that that is what patents are for, patents have their own problems as everyone likes to point out. But yes, patents would have been one way to solve the problem. But if we had patented BK early on there is little chance it would have been adopted for the kernel and that was the goal, give Linus some breathing room. So patents didn’t work for us at that point.

    We really didn’t see any other answer than the license that fit the problem space and still don’t. In retrospect, about the only thing I’d change if I got to do it all over again is to have found someone more polished to be the public face of BitMover. And even that is not such a clear call because in spite of my flaws I have a lot of credibility in the industry as a smart guy and that credibility was required. Nobody else volunteered for this job so you got stuck with me.
    C’est la vie.

  7. Written by oz
    on April 16, 2005 at 1:34 pm
    Permalink

    bryan, organizations do not usually treat their licenses in
    a <em>speculative</em> manner for some future test in courts.
    nor do they always ask their employees whether or not they agree with the licenses they sign. this is
    about agreements and responsibilities.

    tridgell
    is not
    some random outsider that caused OSDL’s license to be pulled.

  8. Written by Bryan Cantrill
    on April 16, 2005 at 8:14 pm
    Permalink

    An operating system actually has the same problem as an SCM — everyone seems to think there’s nothing to it. It’s been difficult for us in Solaris to compete against this idea (the idea of a “commodity” operating system), and it has taken a combination of revolutionary technology (DTrace, Zones, ZFS, SMF, etc. — which are all proving that there is something to writing an OS after all) along with other more economic changes (zero cost RTU, embrace of x86 and x64, and open source) for us to compete effectively with Linux. For too long, we didn’t let ourselves compete effectively with Linux because we were too afraid that they would “copy us”; it took us years to (collectively) figure out that keeping Solaris closed was doing us more harm in competing against Linux than their “copying” ever could.
    And after having open sourced DTrace, something else has become clear to me: the same arrogance that leads one to believe that SCM is easy or that an OS is a commodity will also lead one straight to the tarpit of NIH. NIH is obviously endemic to technology, but it seems to run much stronger in some open source corners than it ever has in industry. I have some ideas on why this is so, but I’ll save those thoughts for another day; my point to all this is this: you and I both know that BK has a huge lead over everything else out there, so have some confidence in that fact. If Tridge decides to develop a “BK killer”, well, you understand this problem much better than he does and you have a huge lead. Even if he understands how BK works, and even if you have no patent protection, it still needs to be implemented — and you know that that’s non-trivial. Indeed, by reacting so strongly to Tridge’s reverse engineering, you’re leaving the world with the mistaken conclusion that SCM is easy, that with a little reverse engineering one can clone BK, and that only by having onerous licensing terms can you prevent any bozo from solving the same easy problem that you solved. You have to have the confidence that it’s a tough problem (it is), that it’s going to take more than a little knowledge to develop something that can replace BK (it would), and that competition is ultimately in the best interest of your users anyway (which it most certainly is).

Subscribe to comments via RSS