It is Thanksgiving here in the United States. A day for reflecting on what we have been given and are privileged to experience. Seeing that opportunity handed down from generation to generation is both humbling and exciting; it is the perpetuation of a dream set motion hundreds of years ago. A lot occurs on Thanksgiving. Multi-course dishes are prepared with care and style in millions of households, while friends and family gather to celebrate and spend quality time with one another often on the field of battle — the touch football field. It is a wonderful day. It is a favorite of many, in some cases more special than Christmas. Thanksgiving Day is a beautiful thing that is until software houses begin hiring hackers as developers, placing millions at risk. Happy Thanksgiving! While preparing for my own festivities I ran across this and had to stop and consider it on this day of thanks.
Today it was officially announced that an Australian mobile application development firm has hired Ashley Towns as a software developer. For those of you not familiar with Ashley’s work, he brought the world its first iPhone worm. Ashley created the now infamous ikee worm (aka Rickrolling). The ikee worm developed by Towns and released earlier this month changed the wallpaper of vulnerable, jail broken iPhones to a picture of Rick Astley. Though the code’s earliest iterations were full of bugs and issues, it managed to accomplish its mission of replicating and posting a ghastly picture of Astley as a calling card. Towns has yet to be arrested for this offense however I seriously hope that when it occurs the courts take into consideration the fact that he re-inflicted Rick Astley on the planet, a crime for which hard labor is surely warranted. Town’s worm brought light upon a major challenge facing the world today, the gaping security holes present in jail broken iPhones. A number of other samples of malicious code and content can exploit jail broken the iPhones as well. Some, like the Duh worm possess the capability to implement command and control (C&C) functionality onto the device thusly enrolling the jail broken iPhone in a botnet as a drone.
As its Thanksgiving, I am giving thanks that I do not own a jail broken iPhone. Additionally I am giving thanks that others within our industry, our peers such as Graham Cluley at Sophos feel the same way. Here is what Graham had to say about this “Don’t get me wrong – I don’t think virus writers shouldn’t be allowed to rehabilitate and do something worthwhile with their lives. But, it jars with me that Towns has shown no regret for what he did, and that now his utterly irresponsible behavior appears to have been rewarded. Will Towns be offering a token $5 compensation to all those he infected for the inconvenience he caused? I doubt it. There are plenty of young coders out there who would not have acted so stupidly, are just as worthy of an opportunity inside a software development company, and are actually quite likely to be better coders than Towns who made a series of blunders with his code.”
It jars me as well Graham and my hope is that after the Tryptophan induced comas here in the United States where off, we will be able to explore this more in detail. For the time being though, I would ask the readers of this blog and our peers and colleagues to consider the implications of the Town’s case. Recall that in another post I wrote about Blackhats, Whitehats and Grayhats…I feel that as Town’s has neither demonstrated nor shown remorse for his actions; it speaks highly of his character. Additionally, it speaks to the character of the firm who would — hire an unrepentant Blackhat as a legitimate application developer.
Comments
Leave a Reply
uberVU - social comments on 11.27.2009
Social comments and analytics for this post…
This post was mentioned on Twitter by CassandraSec: New Blog Post: Happy Thanksgiving! Please Pass the Cranberry Sauce and Your iPHONEs http://cassandrasecurity.com/?p=814...
Excuse me Sir, There’s a Worm In My Apple and a Potentially Damning Vulnerability in his Blackberry… : Cassandra Security on 12.09.2009
[...] late November I wrote a piece that discussed exploitation of jail broken iPhones and the introduction of worms to the world of [...]