Filed under: iPhone, Jailbreak/pwnage
iPhone worm author really goes to work
While you have to go to quite some lengths to be vulnerable to it, jailbroken iPhones have been under fire for susceptibility to a particular SSH-based type of worm that has seen a lot of press lately. One of the developers, Ashley Towns, who helped to get the "rick" rolling, as it were, has just announced his employment at an iPhone game firm.Sophos is reporting that he'll be taking up shop at mogeneration, the developer responsible for such hits as Xumii [iTunes link], a cross-social networking communication app, and Moo Shake! [iTunes link], a farm-based activity game for kids. It is an interesting turn of events given that mogeneration even reported on the topic of Ashley's now-infamous rickrolling iPhone worm.
I personally think that there is a lot of potential for coders of malware to embark on legitimate careers as developers coding for good. However, I don't favor the thought that malware developers are essentially getting 'rewarded' for their dangerous work. There is nothing from mogeneration to imply that Towns was hired based on the notoriety of his SSH-based worm, but I can't help thinking that there are other, more talented iPhone developers who have stayed below the radar by not writing malware.
I want to know what you think. Should developers of intentionally malicious software be given a clean slate and a new life? Or perhaps should they be feeling the effects of the law's very long arms?
[via Techmeme]
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
ianlive said 3:20PM on 11-26-2009
I think it's pretty disgusting. Your talents should sway someone to overlook the fact that you intentionally set out to cause harm and headache for other users, iPhone or other OS's.
Personally I think malware coders suffer from small dick complex (sorry to the younger readers). It seems similar to me to hip hop artists that feel the need to tell everyone they are the next big thing.
If you're really great, people will notice. You don't have to shout about how awesome you are. Especially with malevolent code. I think it is the wrong way to present yourself. By about 180 degrees.
Reply
Yazdgerd said 11:15AM on 11-27-2009
Agreed, dumb story. Someone does nonsense, others hire him! I don't have any good feelings towards this guy.
ianlive said 3:23PM on 11-26-2009
I meant "shouln't" sway.
Reply
Monica Dickey said 4:44PM on 11-26-2009
Seems more like a practical joke than malware... I mean wasn't his rickroll thing just a mass log-in and wallpaper change to anyone dumb enough not to change from the default password once they jailbroke their phones?
Congrats to him if he got a real job from doing something so ridiculous. He didn't hurt anyone and hopefully those people learned a lesson about not using a default password after they install something.
Reply
Jaap said 4:53PM on 11-26-2009
I agree. A pic of Rick Astley is hardly malware. Good luck to the guy. It wouldn't suprise me if the thing was rigged, anyway; the company gets more publicity than they could have bought.
Farris said 5:33PM on 11-27-2009
Jaap:
The malware portion of it was when he required people to pay him 5 dollars for the "fix" to get Astley off their phone, IIRC.
macserv said 2:29PM on 11-29-2009
If I remember the story right, he stopped demanding money shortly after he started, and the worm actually closed the open security hole behind it. Really benign as far as malware goes, IMO.
Ian said 4:58PM on 11-26-2009
I dunno. I don't condone his methods but he did the world a great service IMHO.
He launched a benign worm that made all iPhone users sit up and pay attention. Even those not directly affected reset their SSH passwords.
Eventually, someone was going to release a worm that was going to be harmful. Had Ashley not released his first, I believe the disastrous results of the others would have been much greater.
Something to think about...
Reply
Dan Woods said 6:00PM on 11-26-2009
Ashley's Worm was actually pretty benign.
It exploited the well publicized hole, made the Phone's owner aware of the problem (and made them look like an idiot at the same time), and then changed the default password ('securing' the known exploit) so nothing else untoward will happen to the victims phone (through the same hole).
It's a lot more Noble than charging victims a fee for instructions on how to undo the damage or phishing financial information out of victims.
Reply
pank said 9:10PM on 11-26-2009
Agree with you on this. IMO if he was truly a bad person he would use the exploit for some sort of gain (financial or creating some sort of damage). It really seemed like more of an alert to jailbreak users than anything else.
I'm glad to see he will be putting his skills to a better use though. Good for him....
robogobo said 6:09PM on 11-26-2009
yeah, I think it's pretty obvious that things could have been a lot worse. All three security compromises did little harm, and made everyone aware of a possible vulnerability. In this case, it was a pretty effective psa. In general, anyone who actually causes harm shouldn't be rewarded. However, it's those guys who are most capable of knowing how to stop the same shit that they start. Most of them are doing it as a curious hobby anyway, and just use the world's computers as their proving ground.
Reply
Charles said 10:18PM on 11-29-2009
I consider that what the programmer did is wrong. Even though the worm did not caused any damage it can be scary to users to have their phone's background changed without consent.
There are much better ways for programmers to get exposed, like for example creating freeware.
Reply
Pete said 6:59PM on 11-26-2009
What's to keep him from inserting malicious code into the apps that he will help produce for this company. I'd be hesitant to buy them myelf.
Reply
Dan Woods said 10:55PM on 11-26-2009
iPhone Apps sold through the App store go though a rigorous testing procedure prior to approval, including analysis of API calls used, much to the chagrin of many App developers.
If anything untoward was happening or likely to happen during normal use of the App, it will be detected during approval.
If something did manage to sneak though, the security of (non-jailbroken) iPhones will prevent the Rogue App from accessing other than it's own user data.
Jailbroken Phones have had this security disabled.
robogobo said 3:37AM on 11-27-2009
and, on that note, what's to stop anyone from sneaking in malicious code? The point is that the vulnerabilities were caused by users leaving the door wide open, in case you haven't heard that 1000 times over the past two weeks.
Geoff Miller said 7:40PM on 11-26-2009
I might go so far as to point out that the people being affected, should themselves, be punished - if one is to apply the righteous ire that the author is espousing. After all, they violated the EULA that specifically forbids the jailbreak in the first place. By the implied logic, they "got what they deserve". On the other hand, being the proud owner of a jailbroken iphone, I would say that anyone who is getting pwn'd by the exploit deserves it, since they installed software that they didn't install.
Reply
Richie said 9:27PM on 11-26-2009
You really have to look at it from the perspective of white hat and black hat hackers... if your doing bad things to people you need to be put in jail... if your joking with people and just playing around and it ultimately helps people know that they need to fix something wrong with there computer/phone then i call you a white hat and think you should be given a award... but if your doing it to be malicious and destroy or take information you need to be thrown in prison... Almost every security/programing company employees white hat hackers to test and make sure that there programs are secure...
Reply
djfred said 12:14PM on 11-27-2009
Disagree in this particular case. It wasn't a malicious worm and wasn't widespread enough to do any real harm. Considering the number of iPhones at risk for this type of exploit I think it's hard to argue that the publicity wasn't beneficial. And he was polite enough to plug the hole back up to prevent any other hackers from gaining entrance.
It's like noticing your neighbors door is standing wide open with no car in the driveway and being nice enough to lock it for them but only after leaving them a note written on a Rick Astley poster.
Reply
Mac Diva said 7:03PM on 11-27-2009
The striking thing about reading the comments of the pro hacker people is that they are not telling the truth about Ashley Towns. He did charge people money to regain control of their jailbroken iPhones until bad publicity forced him to back down. If he does something illegal while working for these developers, they will be held liable. You have to wonder if they considered that before hiring him.
Reply
Ian said 1:59AM on 11-28-2009
He did charge people money to regain control of their jailbroken iPhones until bad publicity forced him to back down
First time I heard about that. There was a Dutch hacker who did that though:
http://www.tuaw.com/2009/11/03/dutch-hacker-accesses-jailbroken-iphones-requests-5/