iPhone 'malware' writer gets job - slight outrage ensues
Write a worm, get a job? In some cases, yes - and in the case of Ashley Towns, absolutely yes – even though his hiring, by the Australian company mogeneration, has brought cries of outrage from some security companies.
Towns wrote Ikee, a proof-of-concept worm that found jailbroken iPhones on which (a) people had installed SSH to upload programs and (b) hadn't changed the root password: it then changed the phone's wallpaper to Rick Astley.
He was emphatically not the person behind the more recent, malicious form of the same worm which tries to phish banking details from people – although that did use his code as a template.
"We interviewed Ashley, assessed him with our iPhone developer test – which he passed with flying colours – and we employed him today," a spokesperson for mogeneration told the BBC.
So programming expertise which shows up weaknesses in systems that people have hacked themselves should get rewarded, right? Not according to Graham Cluley of Sophos, where apparently they "reacted with bewilderment" at the news.
"It's very important that a clear message is sent out that writing viruses and worms is not cool, and not a route into employment," said Cluley, senior technology consultant for Sophos. "It's ironic that the owners of iPhones that have not been jailbroken may now find themselves running code written by a virus writer. Customers of Mogeneration may well ask for an explanation for the hacker's employment - and those who were inconvenienced as a result of his worm may wonder when they will be compensated."
Sophos estimates that between 17,000 and 25,000 iPhones "might be at risk of infection".
While I usually agree with Cluley, in this case I don't. The number of at-risk iPhone isn't Towns's fault. He didn't jailbreak the phones; he simply demonstrated to their owners that they had done something stupid, and demonstrated his own programming chops – in a good, non-exploitative way – at the same time.
Arguably, what Towns did is like someone who spots a broken door lock putting a message through the front door. (The metaphor gets a bit stretched here, because the worm did have to access the phone; it might be a bit like getting a robot to go in through the door and deposit the message and then leave, returning the door to its original state.)
Back to Cluley: "What disheartens me is that Towns has shown no regret for what he did. He admitted specifically infecting 100 iPhones himself, letting his worm loose in the process. Now his utterly irresponsible behaviour appears to have been rewarded. Will Towns be offering a token $5 compensation to those he infected for the inconvenience he caused? I doubt it... There are plenty of young coders out there who would not have acted so stupidly, are just as worthy of an opportunity inside a software development company, and are actually quite likely to be better coders than Towns who made a series of blunders with his code."
OK, so it wasn't perfect. But proofs-of-concept rarely are; they tend to be taking coding to a place it hasn't been before, so the writers are feeling their way somewhat. The most (subsequently) famous that I recall is the Word Concept worm: that started in 1995, when a programmer wondered about the new macro capabilities that had just been built into Microsoft Word. Sure enough, it proved possible to write a self-replicating worm that would infect the templates of Word documents (which is why you now find that Word has a preference not to automatically run macros in documents).
Known as Concept, by February 1996 it had infected around 25% of all corporations using Word - having only been devised in August 1995. However, its spread was helped by a big company which sent it out in a CD-ROM: Microsoft. In fact, it's now thought that Concept was written by someone working for the company - though most likely a temporary staffer, rather than full-time.
Towns isn't the first to have gotten a high-profile job via hacking. In 2001, the mayor of the town of Sneek in the Netherlands suggested that resident Jan de Wit, who wrote the Anna Kournikova worm, should be considered for employment in the town's IT department. Five years ago, Sven Jaschan, who authored the widespread Netsky and Sasser worms, caused what Sophos calls "outrage" and most others call "a bit of a shrug" in the IT community when he was hired by a German security firm. In 2007, the Chinese creator of a virus which changed icons to a picture of a panda burning joss-sticks was offered a job paying a million Yuan ($133,155) salary by a company which had been infected by his malware.
And that's not counting all the people who have been caught and given jobs who you haven't heard of. After all, think about the film Catch Me If You Can, based on real life: if you want to catch criminals, best to have one working for you, because they know how to think like a criminal far better than someone law-abiding. And if you want someone who's going to push the edges of what you do, find a proof-of-concept hacker.
Charles Arthur
Thursday 26 November 2009 13.52 GMT
guardian.co.uk © Guardian News and Media Limited 2009
Write a worm, get a job? In some cases, yes - and in the case of Ashley Towns, absolutely yes – even though his hiring, by the Australian company mogeneration, has brought cries of outrage from some security companies.
Towns wrote Ikee, a proof-of-concept worm that found jailbroken iPhones on which (a) people had installed SSH to upload programs and (b) hadn't changed the root password: it then changed the phone's wallpaper to Rick Astley.
He was emphatically not the person behind the more recent, malicious form of the same worm which tries to phish banking details from people – although that did use his code as a template.
"We interviewed Ashley, assessed him with our iPhone developer test – which he passed with flying colours – and we employed him today," a spokesperson for mogeneration told the BBC.
So programming expertise which shows up weaknesses in systems that people have hacked themselves should get rewarded, right? Not according to Graham Cluley of Sophos, where apparently they "reacted with bewilderment" at the news.
"It's very important that a clear message is sent out that writing viruses and worms is not cool, and not a route into employment," said Cluley, senior technology consultant for Sophos. "It's ironic that the owners of iPhones that have not been jailbroken may now find themselves running code written by a virus writer. Customers of Mogeneration may well ask for an explanation for the hacker's employment - and those who were inconvenienced as a result of his worm may wonder when they will be compensated."
Sophos estimates that between 17,000 and 25,000 iPhones "might be at risk of infection".
While I usually agree with Cluley, in this case I don't. The number of at-risk iPhone isn't Towns's fault. He didn't jailbreak the phones; he simply demonstrated to their owners that they had done something stupid, and demonstrated his own programming chops – in a good, non-exploitative way – at the same time.
Arguably, what Towns did is like someone who spots a broken door lock putting a message through the front door. (The metaphor gets a bit stretched here, because the worm did have to access the phone; it might be a bit like getting a robot to go in through the door and deposit the message and then leave, returning the door to its original state.)
Back to Cluley: "What disheartens me is that Towns has shown no regret for what he did. He admitted specifically infecting 100 iPhones himself, letting his worm loose in the process. Now his utterly irresponsible behaviour appears to have been rewarded. Will Towns be offering a token $5 compensation to those he infected for the inconvenience he caused? I doubt it... There are plenty of young coders out there who would not have acted so stupidly, are just as worthy of an opportunity inside a software development company, and are actually quite likely to be better coders than Towns who made a series of blunders with his code."
OK, so it wasn't perfect. But proofs-of-concept rarely are; they tend to be taking coding to a place it hasn't been before, so the writers are feeling their way somewhat. The most (subsequently) famous that I recall is the Word Concept worm: that started in 1995, when a programmer wondered about the new macro capabilities that had just been built into Microsoft Word. Sure enough, it proved possible to write a self-replicating worm that would infect the templates of Word documents (which is why you now find that Word has a preference not to automatically run macros in documents).
Known as Concept, by February 1996 it had infected around 25% of all corporations using Word - having only been devised in August 1995. However, its spread was helped by a big company which sent it out in a CD-ROM: Microsoft. In fact, it's now thought that Concept was written by someone working for the company - though most likely a temporary staffer, rather than full-time.
Towns isn't the first to have gotten a high-profile job via hacking. In 2001, the mayor of the town of Sneek in the Netherlands suggested that resident Jan de Wit, who wrote the Anna Kournikova worm, should be considered for employment in the town's IT department. Five years ago, Sven Jaschan, who authored the widespread Netsky and Sasser worms, caused what Sophos calls "outrage" and most others call "a bit of a shrug" in the IT community when he was hired by a German security firm. In 2007, the Chinese creator of a virus which changed icons to a picture of a panda burning joss-sticks was offered a job paying a million Yuan ($133,155) salary by a company which had been infected by his malware.
And that's not counting all the people who have been caught and given jobs who you haven't heard of. After all, think about the film Catch Me If You Can, based on real life: if you want to catch criminals, best to have one working for you, because they know how to think like a criminal far better than someone law-abiding. And if you want someone who's going to push the edges of what you do, find a proof-of-concept hacker.
Charles Arthur
Thursday 26 November 2009 13.52 GMT
guardian.co.uk © Guardian News and Media Limited 2009
