Xrfgtjtk

During the last few years, alongside with me diving into programming area, I've been playing some games of one company. Expectedly, two interests collided and part of my experience grew from the interest of exploring games. I began to reverse-engineer them and while reading binaries assembly is still impossible for me, what I did includes:

• data mining;


• files parsing (3D models, archives, data files, etc);


• netcode RE;


• MITM-ing game servers and altering the data passed between.

Some of the information I could find I released to public, including the last tool that enabled players to do things that are legal in game but developers could not enable them, and is capable of doing things that are illegal in terms of game logic, but of course, those are not included in the release.

In the nearest future, I plan to apply for a C++ developer job at this company and I wonder if and how should I mention these details.

Additional information:

• mentioned games are online games (think of MMO);


• the company has offices in many countries but the office in my city is not the one responsible for the mentioned games;


• while some of the data was exposed, the tools used to extract it and tools' sources never went public;


• game's sensitive data is kept private, such as items drop rates or certain values for damage calculations;


• game's ToS explicitly forbids reverse engineering it, but from what I've read it would only lead to game account suspension;


• no lawyer's advice was taken on this matter.

Some extra details:

• might this be an important detail (in certain ways), the company is mainly a mobile developer;


• the games are abandoned by 95% for a about year already due to the closure of responsible development offices.

Addressing some of the comments:

• people do release hacks for some of their games, and scripts for models extracting, however I never heard of their request to take such posts down;


• ToS forbids alterations and RE of the game, however there was a WoW-head-like site created by player, and company:
  
  
  
  
  1. Used it as a reference within game support over email;
  
  
  2. Wanted the player to keep developing the website;
  
  
  3. Did nothing to help him.
  
  
  
  


• the game is either not very popular among tech people as I've only seen a very few tools and only heard of a few people capable of doing it, or all of that is private as well;


• I consider my "hacks" to be more of a finding flaws in games logic, not actual cracks;


• 
  "If you don't tell them and get the job, you risk someone finding out later" is a very good point since when publishing information, I used either my in-game nick or my real name whilst I checked every released stuff to not contain either of those.

One of the long-lasting projects that provides some of the information to the public (mostly the one that is actually in-game) is in my resume as it gives ~2 years of experience before my first real job. I used it to apply to my current job but obviously no one asked about "How did you get information needed?", but I always could reply "Manual gathering, y'know."

Update: I've tried to get in contact with office HR via their social media group, but they reply ~ once in a month hence late update here.

Asking them direct question about their attitude to reverse-engineering lead to answer to look for jobs positions at their website. Ugh. Without any clear reply from them I guess I'll stick to silent position. Chosen answer provides some great ideas on how to nicely present the mentioned facts and I might follow them, I still have time until my possible application.

Here are key points from the answers:

1. Three possible scenarious exist:
   
   
   
   
   • Breaching the ToS is unacceptable.
   
   
   • It doesn't matter.
   
   
   • It depends.
   
   
   
   


2. Thoroughly read the ToS and EULA for explicit mentioning of RE.


3. Research about company's bug bounty programs, industry, their attitude for other people doing RE, if their posts get deleted, etc.


4. While the process of RE might be a good point on interview, what also matters is how you use obtained data and abilities.


5. It's better not to use your widely known usernames and/or real name if you decide to publish something, i.e. do not use your main GitHub account to post different projects.


6. If your information found associated with the data that shouldn't be publicly available, possible questions might be:
   
   
   
   
   • Why did you think that was okay to do?
   
   
   • If hired, why should we be confident that you won't violate your terms of employment?
   
   
   
   


7. If possible, you may try to find out their attitude by asking HR or someone who works there (and is your friend) some hypothetical questions.


8. If you found any flaws, security issues and any other unexpected behavior, considering reporting it to the appropriate game department.


9. If you decide to mention this on the interview, frame it in a positive way.


10. If you aren't sure how would they react, don't mention this.

Feel free to add more points or edit out the ones I understood wrong and that do not belong here.

I work as a Software Engineer turned Security Engineer at a computer games company.

Obviously, our ToS forbids people from reverse engineering things (and if you are reading this, don't take this as an admission that our ToS is not binding. Please do not break our stuff without our permission).

That said, we have to be intellectually honest about this sort of thing when we hire new engineers: You've, on balance, likely broken into our stuff, reverse engineered it, tinkered with it, etc. Reverse engineering is interesting! So, certain allowances have to be made: If I was interviewing a candidate who had reverse engineered our game (And I have done that in the past) I would be more concerned about whether or not their efforts had harmed the business or our customers rather than immediately ending the interview if they mentioned they had reverse engineered our stuff.

I don't put too much stock in "Violating the ToS is a bad thing and will immediately fail the interview" - At least in my field, if no one violated ToSes as they were learning, no one would get hired. Every product has a "no touchy" line in their ToS as a matter of course.

You have to make sure you frame it as a positive, though - and it's really hard to do that. If you can use it as a way to say, "Here's all the cool things I've done that demonstrate my ability" then that's great. But if you bring up the fact you broke into our stuff as a way to somehow insult the competency of your potential future colleagues, that's not a good idea.

I'd say at least in the security field this could go either way and it'd either be a good thing or a bad thing depending on how you brought it up in an interview. I can't see the software field being all that different, but it really depends on:

1. The company culture (Does the company have a Bug Bounty program?)


2. The industry (Some industries are a lot more... litigious.. than others)


3. Will you interview with a recruiter (who is more concerned with legality) or an engineer (who is probably more concerned with technical ability)?

As with any character trait that can be either a positive or a negative, if you aren't sure you can spin it as a positive in an interview, I would omit it.

The only one I think is a definite no in your question is this:

MITM-ing game servers and altering the data passed between.

This is definitely bad because it sounds like it altered other players experience. Once you go from simple exploration and self-education to altering the game experience, that's when you start getting into trouble.

Should I mention I've reversed engineered games of the company I
interview at?

You are likely already in a position to judge this for yourself, based on what you already know about the company and their game community.

Do lots of folks release game hacks publicly for this company's games? Do others reverse engineer their products and release tools? Most importantly, is that sort of activity celebrated by the company or discouraged? (As @BenBarden wisely points out ‘...and “game's ToS explicitly forbids reverse engineering it” suggests that this is probably not one of the companies that celebrates such activity.’)

If you are one of many that are encouraged in this arena then go ahead and tell them about it. If not, keep it to yourself.

If you aren't sure, then err on the side of caution and don't bring it up.

Some of the information I could find I released to public...

If what you already released to the public contains your name, then be prepared to answer questions about it during interviews. One obvious question would be "Why did you think that was okay to do?"

While doing what you did shows a good technical aptitude (and a strong interest in the companies products) the ethical concerns in your described scenario would be a showstopper for me.

While I doubt that you had any malicious intent someone willing to play fast and loose with ToS to the extent where they are (my emphasis):

MITM-ing game servers and altering the data passed between.

Assuming that's a live public server on an active game, well I can't see any benign reason to do that and that sort of thing would have me wondering what other rules and agreements they might decide don't apply to them. NDAs to control leaks of product info during development? How about peeking at sensitive data not needed for their job?

I'm not a rules-are-rules-are-rules person - someone who was saying how they reverse engineered an older game to see how it ticked (one that was no longer in active MMO-type use or heavy retail sale at the time) might still be a violation of license agreements etc but it's something I'd readily see as a positive, someone who was just keen to learn and in a way that couldn't impact the company or other users.